few more updates
juushya
parent
038119d9df
commit
8b0f2214b1
|
|
@ -83,7 +83,7 @@ module Auxiliary::EPMP
|
|||
end
|
||||
end
|
||||
|
||||
# run if version > 3.5
|
||||
# run if version > 3.4.1
|
||||
|
||||
def login_2(user, pass, epmp_ver)
|
||||
res = send_request_cgi(
|
||||
|
|
@ -138,8 +138,7 @@ module Auxiliary::EPMP
|
|||
good_response = (
|
||||
res &&
|
||||
res.code == 200 &&
|
||||
!res.body.include?('auth_failed') &&
|
||||
!res.body.include?('Maximum number of users reached.')
|
||||
!res.body.include?('auth_failed')
|
||||
)
|
||||
|
||||
if good_response
|
||||
|
|
@ -152,24 +151,33 @@ module Auxiliary::EPMP
|
|||
password: pass
|
||||
)
|
||||
|
||||
# get the cookie now
|
||||
cookies = res.get_cookies_parsed
|
||||
stok_value_dirty = res.body.match(/"stok": "(.*?)"/)
|
||||
stok_value = "#{stok_value_dirty}".split('"')[3]
|
||||
sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
|
||||
sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)
|
||||
# check if max_user_number_reached?
|
||||
if !res.body.include?('max_user_number_reached')
|
||||
# get the cookie now
|
||||
cookies = res.get_cookies_parsed
|
||||
stok_value_dirty = res.body.match(/"stok": "(.*?)"/)
|
||||
stok_value = "#{stok_value_dirty}".split('"')[3]
|
||||
sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
|
||||
sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)
|
||||
|
||||
final_cookie = "#{sysauth_value}" + 'usernameType_80=admin; stok_80=' + "#{stok_value}"
|
||||
final_cookie = "#{sysauth_value}" + 'usernameType_80=admin; stok_80=' + stok_value
|
||||
|
||||
# create config_uri for different modules
|
||||
config_uri_dump_config = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/config_export?opts=json'
|
||||
config_uri_reset_pass = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/set_param'
|
||||
config_uri_get_chart = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/get_chart'
|
||||
# create config_uri for different modules
|
||||
config_uri_dump_config = '/cgi-bin/luci/;stok=' + stok_value + '/admin/config_export?opts=json'
|
||||
config_uri_reset_pass = '/cgi-bin/luci/;stok=' + stok_value + '/admin/set_param'
|
||||
config_uri_get_chart = '/cgi-bin/luci/;stok=' + stok_value + '/admin/get_chart'
|
||||
|
||||
return final_cookie, config_uri_dump_config, config_uri_reset_pass, config_uri_get_chart
|
||||
return final_cookie, config_uri_dump_config, config_uri_reset_pass, config_uri_get_chart
|
||||
else
|
||||
print_error('The credentials are correct but maximum number of logged-in users reached. Try again later.')
|
||||
final_cookie = 'skip'
|
||||
config_uri_dump_config = 'skip'
|
||||
config_uri_reset_pass = 'skip'
|
||||
config_uri_get_chart = 'skip'
|
||||
return final_cookie, config_uri_dump_config, config_uri_reset_pass, config_uri_get_chart
|
||||
end
|
||||
else
|
||||
print_error("FAILED LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
|
||||
print_status('Either the credentials are incorrect or Maximum number of logged-in users reached.')
|
||||
final_cookie = 'skip'
|
||||
config_uri_dump_config = 'skip'
|
||||
config_uri_reset_pass = 'skip'
|
||||
|
|
@ -179,7 +187,7 @@ module Auxiliary::EPMP
|
|||
end
|
||||
end
|
||||
|
||||
# run if version < 3.5
|
||||
# run if version < 3.4.1
|
||||
def login_1(user, pass, epmp_ver)
|
||||
res = send_request_cgi(
|
||||
{
|
||||
|
|
@ -235,8 +243,7 @@ module Auxiliary::EPMP
|
|||
good_response = (
|
||||
res &&
|
||||
res.code == 200 &&
|
||||
cookies.has_key?('stok') &&
|
||||
!res.body.include?('Maximum number of users reached.')
|
||||
!res.body.include?('auth_failed')
|
||||
)
|
||||
|
||||
if good_response
|
||||
|
|
@ -249,24 +256,34 @@ module Auxiliary::EPMP
|
|||
password: pass
|
||||
)
|
||||
|
||||
# check if max_user_number_reached?
|
||||
if !res.body.include?('max_user_number_reached')
|
||||
# get the final cookie now
|
||||
cookies = res.get_cookies_parsed
|
||||
stok_value = cookies.has_key?('stok') && cookies['stok'].first
|
||||
sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
|
||||
sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)
|
||||
cookies = res.get_cookies_parsed
|
||||
stok_value = cookies.has_key?('stok') && cookies['stok'].first
|
||||
sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
|
||||
sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)
|
||||
|
||||
final_cookie = "#{sysauth_value}" + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D; userType=Installer; usernameType=installer; stok=" + "#{stok_value}"
|
||||
final_cookie = "#{sysauth_value}" + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D; userType=Installer; usernameType=installer; stok=" + stok_value
|
||||
|
||||
# create config_uri for different modules
|
||||
config_uri_dump_config = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/config_export?opts=json'
|
||||
config_uri_reset_pass = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/set_param'
|
||||
config_uri_get_chart = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/get_chart'
|
||||
config_uri_ping = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/ping'
|
||||
# create config_uri for different modules
|
||||
config_uri_dump_config = '/cgi-bin/luci/;stok=' + stok_value + '/admin/config_export?opts=json'
|
||||
config_uri_reset_pass = '/cgi-bin/luci/;stok=' + stok_value + '/admin/set_param'
|
||||
config_uri_get_chart = '/cgi-bin/luci/;stok=' + stok_value + '/admin/get_chart'
|
||||
config_uri_ping = '/cgi-bin/luci/;stok=' + stok_value + '/admin/ping'
|
||||
|
||||
return final_cookie, config_uri_dump_config, config_uri_reset_pass, config_uri_get_chart, config_uri_ping
|
||||
return final_cookie, config_uri_dump_config, config_uri_reset_pass, config_uri_get_chart, config_uri_ping
|
||||
else
|
||||
print_error('The credentials are correct but maximum number of logged-in users reached. Try again later.')
|
||||
final_cookie = 'skip'
|
||||
config_uri_dump_config = 'skip'
|
||||
config_uri_reset_pass = 'skip'
|
||||
config_uri_get_chart = 'skip'
|
||||
config_uri_ping = 'skip'
|
||||
return final_cookie, config_uri_dump_config, config_uri_reset_pass, config_uri_get_chart, config_uri_ping
|
||||
end
|
||||
else
|
||||
print_error("FAILED LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
|
||||
print_status('Either the credentials are incorrect or Maximum number of logged-in users reached.')
|
||||
final_cookie = 'skip'
|
||||
config_uri_dump_config = 'skip'
|
||||
config_uri_reset_pass = 'skip'
|
||||
|
|
|
|||
|
|
@ -35,5 +35,5 @@ require 'msf/core/auxiliary/mms'
|
|||
#
|
||||
# Custom HTTP modules
|
||||
#
|
||||
require 'msf/core/exploit/http/cnpilot'
|
||||
require 'msf/core/exploit/http/epmp'
|
||||
require 'msf/core/auxiliary/cnpilot'
|
||||
require 'msf/core/auxiliary/epmp'
|
||||
|
|
|
|||
|
|
@ -163,28 +163,36 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
good_response = (
|
||||
res &&
|
||||
res.code == 200 &&
|
||||
!res.body.include?('auth_failed') &&
|
||||
!res.body.include?('Maximum number of users reached.')
|
||||
!res.body.include?('auth_failed')
|
||||
)
|
||||
|
||||
if good_response
|
||||
print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
|
||||
|
||||
# get the cookie now
|
||||
cookies = res.get_cookies_parsed
|
||||
stok_value_dirty = res.body.match(/"stok": "(.*?)"/)
|
||||
stok_value = "#{stok_value_dirty}".split('"')[3]
|
||||
sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
|
||||
sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)
|
||||
# check if max_user_number_reached?
|
||||
if !res.body.include?('max_user_number_reached')
|
||||
# get the cookie now
|
||||
cookies = res.get_cookies_parsed
|
||||
stok_value_dirty = res.body.match(/"stok": "(.*?)"/)
|
||||
stok_value = "#{stok_value_dirty}".split('"')[3]
|
||||
sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
|
||||
sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)
|
||||
|
||||
final_cookie = "#{sysauth_value}" + 'usernameType_80=admin; stok_80=' + "#{stok_value}"
|
||||
final_cookie = "#{sysauth_value}" + 'usernameType_80=admin; stok_80=' + "#{stok_value}"
|
||||
|
||||
# create config_uri
|
||||
config_uri_get_chart = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/get_chart'
|
||||
return final_cookie, config_uri_get_chart
|
||||
# create config_uri
|
||||
config_uri_get_chart = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/get_chart'
|
||||
return final_cookie, config_uri_get_chart
|
||||
else
|
||||
print_error('The credentials are correct but maximum number of logged-in users reached. Try again later.')
|
||||
final_cookie = 'skip'
|
||||
config_uri_dump_config = 'skip'
|
||||
config_uri_reset_pass = 'skip'
|
||||
config_uri_get_chart = 'skip'
|
||||
return final_cookie, config_uri_get_chart
|
||||
end
|
||||
else
|
||||
print_error("FAILED LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
|
||||
print_status('Either the credentials are incorrect or Maximum number of logged-in users reached.')
|
||||
final_cookie = 'skip'
|
||||
config_uri_get_chart = 'skip'
|
||||
return final_cookie, config_uri_get_chart
|
||||
|
|
|
|||
|
|
@ -165,28 +165,34 @@ class MetasploitModule < Msf::Exploit::Remote
|
|||
good_response = (
|
||||
res &&
|
||||
res.code == 200 &&
|
||||
cookies.has_key?('stok') &&
|
||||
!res.body.include?('Maximum number of users reached.')
|
||||
!res.body.include?('auth_failed')
|
||||
)
|
||||
|
||||
if good_response
|
||||
print_good("SUCCESSFUL LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
|
||||
|
||||
# check if max_user_number_reached?
|
||||
if !res.body.include?('max_user_number_reached')
|
||||
# get the final cookie now
|
||||
cookies = res.get_cookies_parsed
|
||||
stok_value = cookies.has_key?('stok') && cookies['stok'].first
|
||||
sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
|
||||
sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)
|
||||
cookies = res.get_cookies_parsed
|
||||
stok_value = cookies.has_key?('stok') && cookies['stok'].first
|
||||
sysauth_dirty = cookies.values.select { |v| v.to_s =~ /sysauth_/ }.first.to_s
|
||||
sysauth_value = sysauth_dirty.match(/((.*)[$ ])/)
|
||||
|
||||
final_cookie = "#{sysauth_value}" + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D; userType=Installer; usernameType=installer; stok=" + "#{stok_value}"
|
||||
final_cookie = "#{sysauth_value}" + "globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22#{user}%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D; userType=Installer; usernameType=installer; stok=" + stok_value
|
||||
|
||||
# create config_uri
|
||||
config_uri_ping = '/cgi-bin/luci/;stok=' + "#{stok_value}" + '/admin/ping'
|
||||
# create config_uri
|
||||
config_uri_ping = '/cgi-bin/luci/;stok=' + stok_value + '/admin/ping'
|
||||
|
||||
return final_cookie, config_uri_ping
|
||||
return final_cookie, config_uri_ping
|
||||
else
|
||||
print_error('The credentials are correct but maximum number of logged-in users reached. Try again later.')
|
||||
final_cookie = 'skip'
|
||||
config_uri_ping = 'skip'
|
||||
return final_cookie, config_uri_ping
|
||||
end
|
||||
else
|
||||
print_error("FAILED LOGIN - #{rhost}:#{rport} - #{user.inspect}:#{pass.inspect}")
|
||||
print_status('Either the credentials are incorrect or Maximum number of logged-in users reached.')
|
||||
final_cookie = 'skip'
|
||||
config_uri_ping = 'skip'
|
||||
return final_cookie, config_uri_ping
|
||||
|
|
|
|||
Loading…
Reference in New Issue