关联漏洞
标题:
BusyBox 路径遍历漏洞
(CVE-2011-5325)
描述:BusyBox是由软件开发者Denys Viasenko开发维护的一个UNIX程序实用包。BusyBox implementation of tar是其中的一个tar(文件备份)命令的实现。 BusyBox implementation of tar 1.22.0 v5之前的版本中存在目录遍历漏洞。远程攻击者可通过符号链接攻击利用该漏洞读取任意文件。
描述
Proof Of Concept
介绍
Title: PoC: Detecting Hardcoded Credentials (Default Password) in DCS-953L Firmware of Dlink (Novi Hogeschool Assessment)
Purpose: This Python script provides a foundational demonstration of how to automate the initial steps of searching for hardcoded credentials within the Dlink DCS-935L Firmware. It's designed as an educational Proof of Concept (PoC) for a Novi Hogeschool assessment.
Usage: To use the provided script, follow these steps:
1. Install Python: Ensure Python is installed on your system.
Linux Install Python:
```
sudo apt install python3
```
Mac Install Python:
```
brew install python
```
2. Install Required Modules: You need to install the `requests` module if it's not already installed. You can do this using pip, Python's package manager, by running the following command in your terminal or command prompt:
```
pip install requests
```
3. Run the Script: Open a terminal or command prompt, navigate to the directory containing the `CVE-2019-12550.py` file, and run the script using the following command:
```
python3 CVE-2019-12550.py
```
4. Check Output: After running the script, it will download the DCS935L Firmware, extract its contents, locate the `/etc/passwd_default` file, read its content, and write it to a new file named `done.txt`. You can find the `done.txt` file in the same directory where you ran the script.
5. Review Output: Open the `done.txt` file to review the contents of the `/etc/passwd_default` file, which was retrieved.
How it Works
Downloads a Repository: The script downloads a specified GitHub repository as a ZIP file.
Extracts the Archive: It extracts the contents of the downloaded ZIP file.
Locates a Target File: The script navigates the extracted file structure to locate a specific file (in this example, 'etc/passwd_default').
Copies File Content: The contents of the target file are copied to a new file ('done.txt') for further manual inspection.
Important Notes
Ensure you have the requests and zipfile libraries installed (pip install requests zipfile).
Disclaimer: This script is intended for educational use within the scope of a Novi Hogeschool assessment. Always use code responsibly and ethically when interacting with GitHub repositories.
Author Georgio T
文件快照
[4.0K] /data/pocs/83c5a2dc02052b3bd18ef22af5422ce790138002
├── [1.1K] CVE-2019-12550.py
└── [2.2K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。