Link DSR路由器系列产品SQL注入漏洞(CVE

发布日期:2013-12-03
更新日期:2013-12-12

受影响系统:
D-Link DSR Router DSR-500N
D-Link DSR Router DSR-250N
D-Link DSR Router DSR-150N
D-Link DSR Router DSR-150
D-Link DSR Router DSR-1000N
D-Link DSR Router DSR-1000
D-Link DSR Router D-Link DSR-500
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 64172
CVE(CAN) ID: CVE-2013-5945

D-Link DSR是无线服务路由器产品。

D-Link DSR路由器系列产品在实现上存在SQL注入漏洞,成功利用后可使攻击者控制应用、访问或修改数据、利用下层数据库内的其他漏洞,从而绕过身份验证。

<*来源:nu11.nu11
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

#!/usr/bin/Python
#
# CVEs:                  CVE-2013-5945 - Authentication Bypass by SQL-Injection
#                        CVE-2013-5946 - Privilege Escalation by Arbitrary Command Execution
#
# Vulnerable Routers:    D-Link DSR-150 (Firmware < v1.08B44)
#                        D-Link DSR-150N (Firmware < v1.05B64)
#                        D-Link DSR-250 and DSR-250N (Firmware < v1.08B44)
#                        D-Link DSR-500 and DSR-500N (Firmware < v1.08B77)
#                        D-Link DSR-1000 and DSR-1000N (Firmware < v1.08B77)
#
# Likely to work on:    D-Link DWC-1000
#
# Download URL:         
#
# Arch:                  mips and armv6l, Linux
#
# Author:                0_o -- null_null
#                        nu11.nu11 [at] yahoo.com
#                        Oh, and it is n-u-one-one.n-u-one-one, no l's...
#                        Wonder how the guys at packet storm could get this wrong :(
#
# Date:                  2013-08-18
#
# Purpose:              Get a non-persistent root shell on your D-Link DSR.
#
# Prerequisites:        Network access to the router ports 443 and 23.
#                        !!! NO AUTHENTICATION CREDENTIALS REQUIRED !!!
#
#
# Coordinated Disclosure -- history and timeline:
#
# 2013-09-12:  Informed Heise Security and asked for their support on this case
# 2013-09-13:  Informed the manufacturer D-Link via
#                (contact form is buggy!)
#              (contact request submitted)
#              (contact form is buggy!)
#              mail@dlink.ru (contact request sent)
#              info@dlink.ee (contact request sent)
#              info@dlink.de (contact request sent)
# 2013-09-14:  Informed the German Federal Office for Information Security (BSI) via certbund@bsi.bund.de 
# 2013-09-16:  D-Link Russia and D-Link Germany claim to have forwarded my request.
# 2013-09-17:  German BSI responds, contact established.
# 2013-09-24:  Requested CVE-IDs.
# 2013-09-25:  Heise responds, contact established.
# 2013-09-27:  D-Link asks for details on vulns and the exploit code.
#              Mitre assigns two CVEs:
#                  CVE-2013-5945 -- authentication bypass
#                  CVE-2013-5946 -- privilege escalation
# 2013-09-30:  D-Link has received the exploit and documentation via BSI
# 2013-11-29:  Patches are available for the DSR router series via tsd.dlink.com.tw
#                DSR-150:                Firmware v1.08B44
#                DSR-150N:              Firmware v1.05B64
#                DSR-250 and DSR-250N:  Firmware v1.08B44
#                DSR-500 and DSR-500N:  Firmware v1.08B77
#                DSR-1000 and DSR-1000N: Firmware v1.08B77
# 2013-12-03:  Public Disclosure
#
# And now - the fun part :-)
#


import httplib
import urllib
import telnetlib
import time
import sys
import crypt
import random
import string

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/3c342957405f1cbdaf4c627af3cac79d.html