Exploits / Vulnerability Discovered : 2018-07-10 |
Type : webapps |
Platform : hardware
This exploit / vulnerability Dlink dir601 2.02 credential disclosure is for educational purposes only and if it is used you will do on your own risk!
# 1. Description:
# Through analyzing the Captcha function implemented in the DIR-601 (2.02NA firmware),
# a HTTP request was found responsible for the handoff to client-side code.
# Inspecting the HTTP requests, it was identified that a parameter named ‘table_name’
# is used to instruct the back-end application which content to return. By abusing this
# request, it was found possible to retrieve sensitive information relating to the device
# configuration and administrative credentials.
# It is possible to modify the HTTP POST to my_cgi.cgi and include as table_name references
# to retrieve the administrative credentials, wireless ssid, and pre-shared key where
# applicable. Enumerating the naming conventions within the client-side code, it was
# determined that a number of potentially sensitive parameters/tables exist in the
# back-end environment which provide significant value if retrieved, four of these include: