Routersploit----路由器攻击工具

2023-05-18 14:22:58 浏览数 (2)

简介

Routersploit是一款集成了很多路由器已存在漏洞的工具,用python编写。可以快速扫描路由器存在的漏洞且可以快速利用漏洞攻击路由器。 其实和MSF(metasploit framework)相似,用法也基本一样。

kali安装

利用 apt-get 安装:

代码语言:javascript复制
apt-get update
apt-get install routersploit
pip3 install routersploit

Bash

利用 git 安装:

代码语言:javascript复制
git clone https://www.github.com/threat9/routersploit
cd routersploit
python3 -m pip install -r requirements.txt
python3 rsf.py

Bash

本人用第一种方式安装,方便快捷。

详解

模块功能介绍

模块名

功能

exploits

模块功能主要为识别到目标设备安全漏洞之后,对漏洞进行利用,实现提权等目的

creds

模块功能主要针对网络服务的登录认证口令进行检测

scanners

模块功能主要为检查目标设备是否存在可利用的安全漏洞

payloads

负责为各种体系结构和注入点生成有效负载的模块

generic

执行通用攻击的模块

命令介绍

show 模块名

显示该模块下存在的详细子模块列表(只能是上诉几个模块名)

show option

显示参数设置

use 模块名

使用该模块

set 参数名 值

给参数设置值

run

运行模块

search 查询内容

模糊查询模块

scanners模块

扫描路由器是否存在已知漏洞。

代码语言:javascript复制
┌──(root㉿kali)-[~/Desktop]
└─# routersploit                      #进入routersploit 命令控制台
 ______            _            _____       _       _ _
 | ___           | |          /  ___|     | |     (_) |
 | |_/ /___  _   _| |_ ___ _ __ `--. _ __ | | ___  _| |_
 |    // _ | | | | __/ _  '__|`--.  '_ | |/ _ | | __|
 | |  (_) | |_| | ||  __/ |  /__/ / |_) | | (_) | | |_
 _| ____/ __,_|_____|_|  ____/| .__/|_|___/|_|__|
                                     | |
       Exploitation Framework for    |_|    by Threat9
            Embedded Devices

 Codename   : I Knew You Were Trouble
 Version    : 3.4.1
 Homepage   : https://www.threat9.com - @threatnine
 Join Slack : https://www.threat9.com/slack

 Join Threat9 Beta Program - https://www.threat9.com

 Exploits: 132 Scanners: 4 Creds: 171 Generic: 4 Payloads: 32 Encoders: 4

rsf > use scanners/              #使用scanners模块,按 tab 键补全,再按可以查看子模块列表
scanners/autopwn   scanners/cameras/  scanners/misc/     scanners/routers/  
rsf > use scanners/autopwn       #使用scanners模块下的autopwn模块,autopwn是一个自动扫描模块
rsf (AutoPwn) > show options     #查看模块参数设置,发现需要设置target参数

Target options:

   Name       Current settings     Description                     
   ----       ----------------     -----------                     
   target                          Target IPv4 or IPv6 address     


Module options:

   Name           Current settings     Description                           
   ----           ----------------     -----------                           
   vendor         any                  Vendor concerned (default: any)       
   http_use       true                 Check HTTP[s] service: true/false     
   http_ssl       false                HTTPS enabled: true/false             
   ftp_use        true                 Check FTP[s] service: true/false      
   ftp_ssl        false                FTPS enabled: true/false              
   ssh_use        true                 Check SSH service: true/false         
   telnet_use     true                 Check Telnet service: true/false      
   snmp_use       true                 Check SNMP service: true/false        
   threads        8                    Number of threads                     


rsf (AutoPwn) > set target 192.168.1.1   #设置target参数为路由器地址192.168.1.1,可以使用IP命令查看
[ ] target => 192.168.1.1
rsf (AutoPwn) > run                      #运行模块
[*] Running module scanners/autopwn...

[*] 192.168.1.1 Starting vulnerablity check...
[-] 192.168.1.1:80 http exploits/generic/heartbleed is not vulnerable
[*] 192.168.1.1:80 http exploits/routers/shuttle/915wm_dns_change Could not be verified
[-] 192.168.1.1:80 http exploits/routers/huawei/hg530_hg520b_password_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/bhu/bhu_urouter_rce is not vulnerable
[*] 192.168.1.1:80 http exploits/routers/billion/billion_5200w_rce Could not be verified
[-] 192.168.1.1:80 http exploits/routers/huawei/e5331_mifi_info_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/huawei/hg866_password_change is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/billion/billion_7700nr4_password_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/ubiquiti/airos_6_x is not vulnerable
[-] 192.168.1.1:21 ftp exploits/routers/technicolor/tg784_authbypass is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/technicolor/tc7200_password_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/generic/shellshock is not vulnerable
[*] 192.168.1.1:80 http exploits/routers/asus/asuswrt_lan_rce Could not be verified
[-] 192.168.1.1:22 ssh exploits/generic/ssh_auth_keys is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/asus/rt_n16_password_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/technicolor/tc7200_password_disclosure_v2 is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/technicolor/dwg855_authbypass is not vulnerable
[*] 192.168.1.1:23 custom/tcp exploits/routers/cisco/catalyst_2960_rocem Could not be verified
[-] 192.168.1.1:80 http exploits/routers/netsys/multi_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/cisco/dpc2420_info_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/cisco/firepower_management60_path_traversal is not vulnerable
[*] 192.168.1.1:80 http exploits/routers/cisco/secure_acs_bypass Could not be verified
[-] 192.168.1.1:80 http exploits/routers/cisco/unified_multi_path_traversal is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/cisco/firepower_management60_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/linksys/wrt100_110_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/linksys/smartwifi_password_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/cisco/ucs_manager_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/linksys/1500_2500_rce is not vulnerable
[*] 192.168.1.1:80 http exploits/routers/3com/officeconnect_rce Could not be verified
[-] 192.168.1.1:80 http exploits/routers/linksys/eseries_themoon_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/linksys/wap54gv3_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/3com/imc_path_traversal is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/3com/ap8760_password_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/comtrend/ct_5361t_password_disclosure is not vulnerable
[*] 192.168.1.1:80 http exploits/routers/netgear/dgn2200_dnslookup_cgi_rce Could not be verified
[-] 192.168.1.1:80 http exploits/routers/netgear/n300_auth_bypass is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/netgear/multi_password_disclosure-2017-5521 is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/3com/officeconnect_info_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/netgear/wnr500_612v3_jnr1010_2010_path_traversal is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/3com/imc_info_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/netgear/jnr1010_path_traversal is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/netgear/prosafe_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/netgear/dgn2200_ping_cgi_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/netgear/multi_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/netgear/r7000_r6400_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/tplink/wdr740nd_wdr740n_backdoor is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/tplink/wdr740nd_wdr740n_path_traversal is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/tplink/archer_c2_c20i_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/ipfire/ipfire_shellshock is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/tplink/wdr842nd_wdr842n_configure_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/ipfire/ipfire_proxy_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/ipfire/ipfire_oinkcode_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/dlink/dgs_1510_add_user is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/dlink/dir_300_600_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/dlink/dsl_2750b_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/dlink/dsp_w110_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/dlink/dwl_3200ap_password_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/dlink/dir_850l_creds_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/dlink/dcs_930l_auth_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/dlink/dsl_2750b_info_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/dlink/dsl_2730_2750_path_traversal is not vulnerable
[*] 192.168.1.1:80 http exploits/routers/dlink/dsl_2640b_dns_change Could not be verified
[-] 192.168.1.1:80 http exploits/routers/dlink/dir_300_320_600_615_info_disclosure is not vulnerable
[*] 192.168.1.1:1900 custom/udp exploits/routers/dlink/dir_815_850l_rce Could not be verified
[-] 192.168.1.1:80 http exploits/routers/dlink/dvg_n5402sp_path_traversal is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/dlink/dir_300_320_615_auth_bypass is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/dlink/dir_645_password_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/dlink/multi_hedwig_cgi_exec is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/dlink/dwr_932_info_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/dlink/dns_320l_327l_rce is not vulnerable
[*] 192.168.1.1:80 http exploits/routers/dlink/dsl_2740r_dns_change Could not be verified
[-] 192.168.1.1:80 http exploits/routers/dlink/dir_645_815_rce is not vulnerable
[*] 192.168.1.1:80 http exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change Could not be verified
[-] 192.168.1.1:80 http exploits/routers/dlink/multi_hnap_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/dlink/dir_8xx_password_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/dlink/dir_825_path_traversal is not vulnerable
[-] 192.168.1.1:22 ssh exploits/routers/mikrotik/routeros_jailbreak is not vulnerable
[-] 192.168.1.1:8291 custom/tcp exploits/routers/mikrotik/winbox_auth_bypass_creds_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/belkin/g_plus_info_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/belkin/g_n150_password_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/belkin/auth_bypass is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/belkin/play_max_prce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/belkin/n750_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/belkin/n150_path_traversal is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/zyxel/d1000_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/zyxel/p660hn_t_v1_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/zyxel/p660hn_t_v2_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/zyxel/d1000_wifi_password_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/zyxel/zywall_usg_extract_hashes is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/multi/rom0 is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/multi/misfortune_cookie is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/cisco/ios_http_authorization_bypass is not vulnerable
[-] 192.168.1.1:32764 custom/tcp exploits/routers/multi/tcp_32764_info_disclosure is not vulnerable
[-] 192.168.1.1:32764 custom/tcp exploits/routers/multi/tcp_32764_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/2wire/gateway_auth_bypass is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/2wire/4011g_5012nv_path_traversal is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/multi/gpon_home_gateway_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/routers/thomson/twg850_password_disclosure is not vulnerable                                                                                                                                               
[-] 192.168.1.1:80 http exploits/routers/asmax/ar_804_gu_rce is not vulnerable                                                                                                                                                              
[-] 192.168.1.1:80 http exploits/routers/asmax/ar_1004g_password_disclosure is not vulnerable                                                                                                                                               
[-] 192.168.1.1:80 http exploits/routers/zte/f460_f660_backdoor is not vulnerable                                                                                                                                                           
[-] 192.168.1.1:80 http exploits/routers/zte/zxhn_h108n_wifi_password_disclosure is not vulnerable                                                                                                                                          
[-] 192.168.1.1:80 http exploits/routers/zte/zxv10_rce is not vulnerable                                                                                                                                                                    
[-] 192.168.1.1:22 ssh exploits/routers/fortinet/fortigate_os_backdoor is not vulnerable                                                                                                                                                    
[-] 192.168.1.1:80 http exploits/routers/movistar/adsl_router_bhs_rta_path_traversal is not vulnerable                                                                                                                                      
[-] 192.168.1.1:23 telnet exploits/cameras/grandstream/gxv3611hd_ip_camera_sqli is not vulnerable                                                                                                                                           
[-] 192.168.1.1:23 telnet exploits/cameras/grandstream/gxv3611hd_ip_camera_backdoor is not vulnerable                                                                                                                                       
[-] 192.168.1.1:80 http exploits/cameras/siemens/cvms2025_credentials_disclosure is not vulnerable                                                                                                                                          
[-] 192.168.1.1:80 http exploits/cameras/avigilon/videoiq_camera_path_traversal is not vulnerable                                                                                                                                           
[-] 192.168.1.1:80 http exploits/cameras/cisco/video_surv_path_traversal is not vulnerable                                                                                                                                                  
[-] 192.168.1.1:80 http exploits/cameras/mvpower/dvr_jaws_rce is not vulnerable                                                                                                                                                             
[-] 192.168.1.1:80 http exploits/cameras/xiongmai/uc_httpd_path_traversal is not vulnerable                                                                                                                                                 
[-] 192.168.1.1:80 http exploits/cameras/honeywell/hicc_1100pt_password_disclosure is not vulnerable                                                                                                                                        
[-] 192.168.1.1:80 http exploits/cameras/brickcom/corp_network_cameras_conf_disclosure is not vulnerable                                                                                                                                    
[-] 192.168.1.1:80 http exploits/cameras/brickcom/users_cgi_creds_disclosure is not vulnerable                                                                                                                                              
[-] 192.168.1.1:80 http exploits/cameras/dlink/dcs_930l_932l_auth_bypass is not vulnerable                                                                                                                                                  
[-] 192.168.1.1:80 http exploits/cameras/multi/P2P_wificam_rce is not vulnerable                                                                                                                                                            
[-] 192.168.1.1:80 http exploits/cameras/multi/jvc_vanderbilt_honeywell_path_traversal is not vulnerable                                                                                                                                    
[-] 192.168.1.1:80 http exploits/cameras/multi/P2P_wificam_credential_disclosure is not vulnerable                                                                                                                                          
[-] 192.168.1.1:80 http exploits/cameras/multi/dvr_creds_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/cameras/multi/netwave_ip_camera_information_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/cameras/jovision/jovision_credentials_disclosure is not vulnerable
[-] 192.168.1.1:80 http exploits/misc/asus/b1m_projector_rce is not vulnerable
[-] 192.168.1.1:80 http exploits/misc/miele/pg8528_path_traversal is not vulnerable
[-] 192.168.1.1:80 http exploits/misc/wepresent/wipg1000_rce is not vulnerable
[-] 192.168.1.1:43690 custom/udp exploits/routers/huawei/hg520_info_disclosure is not vulnerable
[-] 192.168.1.1:53413 custom/udp exploits/routers/netcore/udp_53413_rce is not vulnerable
[-] 192.168.1.1:69 custom/udp exploits/routers/cisco/ucm_info_disclosure is not vulnerable
[-] 192.168.1.1:1900 custom/udp exploits/routers/dlink/dir_300_645_815_upnp_rce is not vulnerable
[-] 192.168.1.1:39889 custom/udp exploits/routers/dlink/dwr_932b_backdoor is not vulnerable
[-] 192.168.1.1:22 snmp exploits/routers/thomson/twg849_info_disclosure is not vulnerable
[-] 192.168.1.1:9999 custom/udp exploits/routers/asus/infosvr_backdoor_rce is not vulnerable
[*] Elapsed time: 40.6700 seconds

[*] 192.168.1.1 Starting default credentials check...
[-] 192.168.1.1:22 ssh creds/generic/ssh_default is not vulnerable
[-] 192.168.1.1:80 http creds/routers/pfsense/webinterface_http_form_default_creds is not vulnerable
[-] 192.168.1.1:21 ftp creds/generic/ftp_default is not vulnerable
[-] 192.168.1.1:23 telnet creds/generic/telnet_default is not vulnerable
[-] 192.168.1.1:80 http creds/generic/http_basic_digest_default is not vulnerable
[-] 192.168.1.1:80 http creds/cameras/axis/webinterface_http_auth_default_creds is not vulnerable
[-] 192.168.1.1:80 http creds/cameras/acti/webinterface_http_form_default_creds is not vulnerable
[-] 192.168.1.1:80 http creds/cameras/basler/webinterface_http_form_default_creds is not vulnerable
[-] 192.168.1.1:80 http creds/cameras/canon/webinterface_http_auth_default_creds is not vulnerable
[-] 192.168.1.1:80 http creds/routers/asmax/webinterface_http_auth_default_creds is not vulnerable
[-] 192.168.1.1:80 http creds/cameras/brickcom/webinterface_http_auth_default_creds is not vulnerable
[*] Elapsed time: 0.0900 seconds

[*] 192.168.1.1 Could not verify exploitability:
 - 192.168.1.1:80 http exploits/routers/shuttle/915wm_dns_change
 - 192.168.1.1:80 http exploits/routers/billion/billion_5200w_rce
 - 192.168.1.1:80 http exploits/routers/asus/asuswrt_lan_rce
 - 192.168.1.1:23 custom/tcp exploits/routers/cisco/catalyst_2960_rocem
 - 192.168.1.1:80 http exploits/routers/cisco/secure_acs_bypass
 - 192.168.1.1:80 http exploits/routers/3com/officeconnect_rce
 - 192.168.1.1:80 http exploits/routers/netgear/dgn2200_dnslookup_cgi_rce
 - 192.168.1.1:80 http exploits/routers/dlink/dsl_2640b_dns_change
 - 192.168.1.1:1900 custom/udp exploits/routers/dlink/dir_815_850l_rce
 - 192.168.1.1:80 http exploits/routers/dlink/dsl_2740r_dns_change
 - 192.168.1.1:80 http exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change

[-] 192.168.1.1 Could not confirm any vulnerablity

[-] 192.168.1.1 Could not find default credentials
rsf (AutoPwn) >      #运行结束,可以看到输出很多信息,[ ]存在漏洞[-]漏洞不存在[*]无法确定

Bash

[ ]

存在漏洞

[-]

漏洞不存在

[*]

无法确定

exploits模块

检测 scanners 扫描到的漏洞,是否能利用。

代码语言:javascript复制
┌──(root㉿kali)-[~/Desktop]
└─# routersploit
 ______            _            _____       _       _ _
 | ___           | |          /  ___|     | |     (_) |
 | |_/ /___  _   _| |_ ___ _ __ `--. _ __ | | ___  _| |_
 |    // _ | | | | __/ _  '__|`--.  '_ | |/ _ | | __|
 | |  (_) | |_| | ||  __/ |  /__/ / |_) | | (_) | | |_
 _| ____/ __,_|_____|_|  ____/| .__/|_|___/|_|__|
                                     | |
       Exploitation Framework for    |_|    by Threat9
            Embedded Devices

 Codename   : I Knew You Were Trouble
 Version    : 3.4.1
 Homepage   : https://www.threat9.com - @threatnine
 Join Slack : https://www.threat9.com/slack

 Join Threat9 Beta Program - https://www.threat9.com

 Exploits: 132 Scanners: 4 Creds: 171 Generic: 4 Payloads: 32 Encoders: 4

rsf > show exploits      #显示exploits模块exp列表
exploits/cameras/grandstream/gxv3611hd_ip_camera_sqli
exploits/cameras/grandstream/gxv3611hd_ip_camera_backdoor
exploits/cameras/siemens/cvms2025_credentials_disclosure
exploits/cameras/avigilon/videoiq_camera_path_traversal
exploits/cameras/cisco/video_surv_path_traversal
exploits/cameras/mvpower/dvr_jaws_rce
exploits/cameras/xiongmai/uc_httpd_path_traversal
exploits/cameras/honeywell/hicc_1100pt_password_disclosure
exploits/cameras/brickcom/corp_network_cameras_conf_disclosure
exploits/cameras/brickcom/users_cgi_creds_disclosure
exploits/cameras/dlink/dcs_930l_932l_auth_bypass
exploits/cameras/multi/P2P_wificam_rce
exploits/cameras/multi/jvc_vanderbilt_honeywell_path_traversal
exploits/cameras/multi/P2P_wificam_credential_disclosure
exploits/cameras/multi/dvr_creds_disclosure
exploits/cameras/multi/netwave_ip_camera_information_disclosure
exploits/cameras/jovision/jovision_credentials_disclosure
exploits/routers/huawei/hg866_password_change
exploits/routers/huawei/e5331_mifi_info_disclosure
exploits/routers/huawei/hg520_info_disclosure
exploits/routers/huawei/hg530_hg520b_password_disclosure
exploits/routers/bhu/bhu_urouter_rce
exploits/routers/shuttle/915wm_dns_change
exploits/routers/ubiquiti/airos_6_x
exploits/routers/netsys/multi_rce
exploits/routers/billion/billion_5200w_rce
exploits/routers/billion/billion_7700nr4_password_disclosure
exploits/routers/technicolor/tc7200_password_disclosure_v2
exploits/routers/technicolor/tc7200_password_disclosure
exploits/routers/technicolor/dwg855_authbypass
exploits/routers/technicolor/tg784_authbypass
exploits/routers/asus/rt_n16_password_disclosure
exploits/routers/asus/infosvr_backdoor_rce
exploits/routers/asus/asuswrt_lan_rce
exploits/routers/netcore/udp_53413_rce
exploits/routers/cisco/ucm_info_disclosure
exploits/routers/cisco/ucs_manager_rce
exploits/routers/cisco/unified_multi_path_traversal
exploits/routers/cisco/catalyst_2960_rocem
exploits/routers/cisco/firepower_management60_path_traversal
exploits/routers/cisco/dpc2420_info_disclosure
exploits/routers/cisco/ios_http_authorization_bypass
exploits/routers/cisco/secure_acs_bypass
exploits/routers/cisco/firepower_management60_rce
exploits/routers/linksys/1500_2500_rce
exploits/routers/linksys/wrt100_110_rce
exploits/routers/linksys/smartwifi_password_disclosure
exploits/routers/linksys/wap54gv3_rce
exploits/routers/linksys/eseries_themoon_rce
exploits/routers/3com/officeconnect_rce
exploits/routers/3com/imc_path_traversal
exploits/routers/3com/officeconnect_info_disclosure
exploits/routers/3com/imc_info_disclosure
exploits/routers/3com/ap8760_password_disclosure
exploits/routers/comtrend/ct_5361t_password_disclosure
exploits/routers/netgear/dgn2200_dnslookup_cgi_rce
exploits/routers/netgear/n300_auth_bypass
exploits/routers/netgear/multi_password_disclosure-2017-5521
exploits/routers/netgear/multi_rce
exploits/routers/netgear/wnr500_612v3_jnr1010_2010_path_traversal
exploits/routers/netgear/jnr1010_path_traversal
exploits/routers/netgear/prosafe_rce
exploits/routers/netgear/dgn2200_ping_cgi_rce
exploits/routers/netgear/r7000_r6400_rce
exploits/routers/tplink/wdr740nd_wdr740n_backdoor
exploits/routers/tplink/wdr842nd_wdr842n_configure_disclosure
exploits/routers/tplink/archer_c2_c20i_rce
exploits/routers/tplink/wdr740nd_wdr740n_path_traversal
exploits/routers/ipfire/ipfire_oinkcode_rce
exploits/routers/ipfire/ipfire_shellshock
exploits/routers/ipfire/ipfire_proxy_rce
exploits/routers/dlink/dir_300_645_815_upnp_rce
exploits/routers/dlink/dsl_2750b_rce
exploits/routers/dlink/dgs_1510_add_user
exploits/routers/dlink/dir_300_600_rce
exploits/routers/dlink/dsp_w110_rce
exploits/routers/dlink/dir_850l_creds_disclosure
exploits/routers/dlink/dwl_3200ap_password_disclosure
exploits/routers/dlink/dcs_930l_auth_rce
exploits/routers/dlink/dsl_2750b_info_disclosure
exploits/routers/dlink/dsl_2730_2750_path_traversal
exploits/routers/dlink/dir_300_320_600_615_info_disclosure
exploits/routers/dlink/dsl_2640b_dns_change
exploits/routers/dlink/dir_645_password_disclosure
exploits/routers/dlink/dir_815_850l_rce
exploits/routers/dlink/dvg_n5402sp_path_traversal
exploits/routers/dlink/dir_300_320_615_auth_bypass
exploits/routers/dlink/dwr_932_info_disclosure
exploits/routers/dlink/multi_hedwig_cgi_exec
exploits/routers/dlink/dns_320l_327l_rce
exploits/routers/dlink/dwr_932b_backdoor
exploits/routers/dlink/dsl_2740r_dns_change
exploits/routers/dlink/dir_645_815_rce
exploits/routers/dlink/dsl_2730b_2780b_526b_dns_change
exploits/routers/dlink/multi_hnap_rce
exploits/routers/dlink/dir_8xx_password_disclosure
exploits/routers/dlink/dir_825_path_traversal
exploits/routers/mikrotik/routeros_jailbreak
exploits/routers/mikrotik/winbox_auth_bypass_creds_disclosure
exploits/routers/belkin/g_plus_info_disclosure
exploits/routers/belkin/g_n150_password_disclosure
exploits/routers/belkin/auth_bypass
exploits/routers/belkin/play_max_prce
exploits/routers/belkin/n750_rce
exploits/routers/belkin/n150_path_traversal
exploits/routers/zyxel/d1000_rce
exploits/routers/zyxel/p660hn_t_v1_rce
exploits/routers/zyxel/p660hn_t_v2_rce
exploits/routers/zyxel/d1000_wifi_password_disclosure
exploits/routers/zyxel/zywall_usg_extract_hashes
exploits/routers/multi/rom0
exploits/routers/multi/misfortune_cookie
exploits/routers/multi/gpon_home_gateway_rce
exploits/routers/multi/tcp_32764_info_disclosure
exploits/routers/multi/tcp_32764_rce
exploits/routers/2wire/gateway_auth_bypass
exploits/routers/2wire/4011g_5012nv_path_traversal
exploits/routers/thomson/twg849_info_disclosure
exploits/routers/thomson/twg850_password_disclosure
exploits/routers/asmax/ar_804_gu_rce
exploits/routers/asmax/ar_1004g_password_disclosure
exploits/routers/zte/f460_f660_backdoor
exploits/routers/zte/zxhn_h108n_wifi_password_disclosure
exploits/routers/zte/zxv10_rce
exploits/routers/fortinet/fortigate_os_backdoor
exploits/routers/movistar/adsl_router_bhs_rta_path_traversal
exploits/generic/shellshock
exploits/generic/heartbleed
exploits/generic/ssh_auth_keys
exploits/misc/asus/b1m_projector_rce
exploits/misc/miele/pg8528_path_traversal
exploits/misc/wepresent/wipg1000_rce
rsf > use exploits/misc/wepresent/wipg1000_rce    #使用名为wipg1000_rce的exp
rsf (WePresent WiPG-1000 RCE) > show options      #查看参数列表,有ssl、target、port三个需要设置,其中ssl和port有默认值

Target options:

   Name       Current settings     Description                     
   ----       ----------------     -----------                     
   ssl        false                SSL enabled: true/false         
   target                          Target IPv4 or IPv6 address     
   port       80                   Target HTTP port                


Module options:

   Name          Current settings     Description                       
   ----          ----------------     -----------                       
   verbosity     true                 Verbosity enabled: true/false     


rsf (WePresent WiPG-1000 RCE) > set target 192.168.1.1   #设置target为192.168.1.1
[ ] target => 192.168.1.1
rsf (WePresent WiPG-1000 RCE) > show options       #target设置成功

Target options:

   Name       Current settings     Description                     
   ----       ----------------     -----------                     
   ssl        false                SSL enabled: true/false         
   target     192.168.1.1          Target IPv4 or IPv6 address     
   port       80                   Target HTTP port                


Module options:

   Name          Current settings     Description                       
   ----          ----------------     -----------                       
   verbosity     true                 Verbosity enabled: true/false     


rsf (WePresent WiPG-1000 RCE) > set port 8080     #修改port默认值,改为8080
[ ] port => 8080
rsf (WePresent WiPG-1000 RCE) > show options      #port修改成功

Target options:

   Name       Current settings     Description                     
   ----       ----------------     -----------                     
   ssl        false                SSL enabled: true/false         
   target     192.168.1.1          Target IPv4 or IPv6 address     
   port       8080                 Target HTTP port                


Module options:

   Name          Current settings     Description                       
   ----          ----------------     -----------                       
   verbosity     true                 Verbosity enabled: true/false     


rsf (WePresent WiPG-1000 RCE) > run       #运行模块,提示不存在漏洞
[*] Running module exploits/misc/wepresent/wipg1000_rce...
[-] Exploit failed - exploit seems to be not vulnerable
rsf (WePresent WiPG-1000 RCE) > 

Bash

其他模块

其他模块的使用与着两模块一样。

结束语

没有一个存在漏洞的环境,学习也比较困难,有时间试着搭一个环境再详细学习。(使用的真实环境)

0 人点赞