通过javascript破解TP-Link路由器(含Poc和视频)
通过javascript破解TP-Link路由器(含Poc和视频)
新闻链接:
5f0K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3u0G2j5X3q4G2i4K6u0W2x3K6j5H3i4K6u0W2j5$3&6Q4x3V1k6F1k6i4N6K6i4K6u0r3k6r3g2@1j5h3W2D9i4K6u0r3x3e0t1H3y4W2)9J5k6h3S2@1L8h3H3`.
时间2015-02-05 13:43:37
最近读到这个帖子:“get_local_and_public_ip_addresses_in_javascript(用javascript获取本地和公网IP地址)”我就开始想,这个用来黑进WIFI路由器是个好思路啊,我手头正好有个TP-LINK的WR741N,那就测起来呗。
收集相关信息,我最开始找到了一篇“Brazilian, U.S. Web Users Targeted by Router-Hacking Group”(Router-Hacking组织瞄上的巴西、美国用户),以及另一篇非常拽的“4.5 million routers hacked in Brazil”(巴西被黑掉的450万路由器)。攻击代码是针对IE的,然后我就想,“用javascript来获取本地IP之后,应该就没那么难了吧”,然后我就开始挖坑。。。
我发现了介个,那就开始吧,呵呵:)。能够找到IP,然后尝试与路由器对话。“同源策略”贼闹心,整得不能直接给路由器发XMLHttpRequests。HTTP基础认证 也整的不能通过对话框读版本,也读不了头文件等等。
但是要是TP-Link呢,就可以用iframe或者img标签。遇到Chrome就坏菜,所以我就只能测试iceweasel了。如我所言,不能发送GET/POST请求,但是你可以用这个登陆: <iframe src="http://admin:admin@192.168.1.1">。
关于绕过同源策略最有趣的就是,根本不用绕,你可以直接像我一样用iframe登陆,包括img标签:
fa8K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4c8H3i4K6u0V1L8r3W2F1K9#2)9J5k6h3y4G2L8g2)9J5c8Y4u0W2M7$3!0#2M7X3y4W2M7#2)9J5c8Y4y4A6L8i4g2D9j5i4c8G2M7W2)9J5c8W2c8x3i4K6u0V1g2#2t1%4y4e0m8z5i4K6g2X3g2U0g2Q4x3X3f1H3i4K6u0r3K9h3#2S2k6$3g2K6i4K6u0r3N6r3!0H3x3g2)9#2k6U0q4Q4x3X3g2B7M7r3M7`. 但是还有个问题,如果username/password不匹配,基础认证对话框就弹出来了,没有办法用javascript来关闭或者隐藏它。花了好几个小时我最终绕过了通过:setAttribute("id", Math.random());
t0188787f6152bfbc62.png
之后我就写了针对我的路由器的poc,成功测试的视频:
TP-Link模拟器:
6fbK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4c8H3i4K6u0V1L8r3W2F1K9#2)9J5k6h3y4G2L8g2)9J5c8X3g2F1i4K6u0r3M7%4g2H3M7r3!0J5N6q4)9J5c8X3g2E0N6h3I4S2N6r3!0J5M7#2)9J5c8R3`.`.
OK,我能获得本机ip,我可以用“绕过”验证窗口来破解密码,但是怎样识别路由版本来修改DNS?然后我继续挖...
我知道可以包含图片,但脚本呢?有个很赞的.js文件,localiztion/str_menu.js。
83cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4c8H3i4K6u0V1L8r3W2F1K9#2)9J5k6h3y4G2L8g2)9J5c8Y4u0W2M7$3!0#2M7X3y4W2M7#2)9J5c8Y4y4A6L8i4g2D9j5i4c8G2M7W2)9J5c8W2c8x3i4K6u0V1g2#2t1%4y4e0m8z5i4K6g2X3g2U0g2Q4x3X3f1H3i4K6u0r3L8r3!0U0j5h3I4A6P5Y4c8A6L8$3&6Q4x3V1k6K6N6s2u0Q4y4h3k6E0k6h3&6#2i4K6u0W2K9Y4x3`.
PoC我放在这了,针对Mozilla Firefox和TP-Link路由器的版本:
890K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3S2S2j5$3E0@1K9r3g2H3L8r3q4F1k6i4c8Q4x3X3g2U0P5W2)9J5c8W2m8G2b7#2)9J5k6h3S2@1L8h3H3`.
源代码放这:
1c0K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4y4@1i4K6u0W2k6$3W2@1K9s2g2T1i4K6u0W2j5$3!0E0i4K6u0r3N6X3q4$3K9$3q4E0K9h3I4Q4x3V1j5#2x3r3j5&6j5K6u0X3j5h3j5I4x3o6m8S2k6o6S2U0y4e0x3%4y4R3`.`.
如果你没有TP-Link路由器,你可以用这个:
0adK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3S2S2j5$3E0@1K9r3g2H3L8r3q4F1k6i4c8Q4x3X3g2U0P5W2)9J5c8W2m8G2b7K6u0Q4x3X3g2Z5N6r3#2D9
更改DNS设置就是几行代码的事。可以轻易获取IP,匿名更改DNS设置,如此可怕的时代,我们如何自处?
参考:
ccbK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3&6W2N6q4)9J5k6h3W2H3j5$3q4D9k6W2)9J5k6h3y4G2L8g2)9J5c8R3`.`.
075K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3y4J5P5i4m8@1L8#2)9J5k6i4y4@1j5h3&6X3L8%4u0V1i4K6u0W2k6h3c8#2i4K6u0r3f1s2N6V1d9r3q4K6K9q4)9J5c8Y4m8%4k6r3S2S2M7$3S2Q4x3X3g2H3k6r3j5`.
df2K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3u0J5L8%4N6K6k6i4u0D9k6h3q4C8M7#2)9J5k6h3y4G2L8g2)9J5c8X3A6S2N6X3q4K6j5%4u0A6M7s2b7`.
6b1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3N6F1N6h3y4A6N6r3W2*7k6h3&6Q4x3X3g2G2M7X3N6Q4x3V1k6T1L8r3!0Y4i4K6u0r3K9r3q4U0K9$3W2F1k6#2)9J5k6s2c8Z5k6g2)9J5k6r3W2F1N6r3g2J5N6$3g2T1M7#2)9J5c8R3`.`.
bcdK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3g2%4k6h3g2C8i4K6u0W2j5$3!0E0i4K6u0r3M7$3g2U0N6i4u0A6N6s2W2Q4x3V1k6H3L8s2g2Y4i4K6u0V1j5h3&6V1i4K6u0V1M7r3I4S2P5g2)9J5k6r3k6D9j5i4N6K6i4K6u0V1L8r3g2S2N6X3g2Q4x3X3c8E0K9h3I4D9K9h3!0F1M7#2)9J5k6r3!0X3i4K6u0V1k6r3g2$3K9h3y4W2M7#2)9J5k6s2k6#2L8r3&6W2M7X3q4T1L8r3g2Q4x3X3c8J5k6i4y4W2j5i4u0U0K9r3g2J5M7H3`.`.
8d7K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4M7K6M7$3y4Z5L8$3!0D9M7#2)9J5k6h3y4G2L8g2)9J5c8X3S2@1L8h3I4Q4x3V1k6Z5N6r3#2D9y4g2)9#2k6Y4N6W2j5Y4y4@1L8%4u0S2k6$3g2Q4x3X3g2S2M7%4l9`.
b30K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4M7K6M7$3y4Z5L8$3!0D9M7#2)9J5k6h3y4G2L8g2)9J5c8X3S2@1L8h3I4Q4x3V1k6@1M7Y4W2A6N6q4)9J5k6h3q4K6M7q4)9K6c8X3k6A6L8r3g2F1j5h3#2W2i4K6y4p5N6s2u0&6K9s2c8E0L8o6g2Q4y4h3k6%4k6h3u0K6N6r3!0J5j5h3N6W2i4K6g2X3L8r3!0U0j5h3I4Q4y4h3k6U0L8r3W2U0K9$3y4G2N6h3&6@1
0a7K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Z5j5h3y4C8K9h3&6Y4i4K6u0W2N6X3g2F1N6s2g2J5k6i4y4Q4x3V1k6D9L8$3y4S2L8q4)9J5k6r3W2H3i4K6u0V1k6r3W2K6j5$3!0$3k6i4u0&6i4K6u0V1N6$3W2@1K9q4)9J5k6r3S2@1L8h3H3#2i4K6u0V1N6$3g2T1M7Y4c8U0i4K6u0V1M7$3g2U0N6i4u0A6N6s2W2Q4x3X3c8S2L8X3c8Q4x3X3c8H3M7X3W2$3j5h3y4&6i4K6u0V1M7X3W2K6K9#2)9J5c8R3`.`.
f82K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6V1L8q4)9J5k6h3c8J5L8%4m8T1L8%4S2#2M7$3g2J5j5$3!0F1N6r3g2F1N6q4)9J5k6h3y4G2L8g2)9J5c8Y4g2Q4x3V1j5I4z5o6M7^5y4U0M7I4i4K6u0r3k6h3&6#2L8h3S2G2M7%4c8K6i4K6u0W2K9s2c8E0L8l9`.`.
b6fK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6V1K9h3q4X3P5h3N6A6i4K6u0r3N6$3g2T1M7Y4c8U0i4K6u0V1K9i4m8K6
e90K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6V1K9h3q4X3P5h3N6A6i4K6u0W2k6$3W2@1K9s2g2T1i4K6u0W2K9h3!0Q4x3V1k6%4k6h3u0J5N6r3y4Q4x3X3c8A6M7s2y4Q4x3V1j5`.
47cK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4U0K9i4m8Q4x3X3g2U0K9q4)9J5c8X3g2F1i4K6u0r3i4K6y4r3N6Y4g2D9k6r3u0Q4x3X3f1^5y4e0l9I4
8a9K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5K6x3K6N6V1j5i4W2Q4x3X3g2U0L8$3#2Q4x3V1k6W2P5s2m8D9L8$3W2@1i4K6u0r3x3U0l9K6y4K6t1`.
825K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3c8A6N6X3g2A6L8Y4c8G2K9s2c8E0L8o6g2Q4x3X3g2A6L8X3k6G2i4K6u0r3M7%4c8G2M7X3q4Y4k6g2)9J5k6h3S2@1L8h3H3`.
7faK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6U0L8r3c8J5L8W2)9J5c8X3&6E0j5i4m8Q4x3X3c8F1M7$3g2Q4x3X3c8K6j5%4u0A6M7s2c8K6i4K6u0r3j5X3I4G2j5W2)9J5c8X3#2S2M7%4c8W2M7W2)9J5c8Y4y4U0M7X3W2H3N6s2y4Q4x3V1j5$3i4K6u0W2P5q4)9J5c8X3S2@1N6s2m8Q4x3X3c8@1M7r3I4A6L8X3E0Q4x3X3c8V1K9i4u0Q4x3X3c8@1M7X3q4$3k6i4u0K6j5h3I4Q4x3X3g2F1M7$3f1`.
a5fK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4m8U0N6$3!0J5L8r3c8Q4x3X3g2U0L8$3#2Q4x3V1k6S2M7Y4c8A6j5$3I4W2i4K6u0r3x3U0p5H3y4o6x3^5x3q4)9J5c8X3q4@1N6r3q4U0K9#2)9J5k6r3y4S2L8i4m8S2K9h3N6F1i4K6u0V1j5$3!0E0M7s2u0G2L8h3W2K6k6i4y4Q4x3X3b7K6x3o6l9H3x3o6m8Q4x3X3c8Z5L8$3#2W2i4K6u0V1M7X3!0#2N6r3g2J5M7#2)9J5k6r3q4D9N6r3g2J5M7#2)9J5k6r3c8F1M7#2)9J5k6s2y4W2N6s2c8A6L8X3N6K6i4K6u0W2K9s2c8E0L8l9`.`.
70bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3S2W2P5s2g2K6i4K6u0W2L8X3g2@1i4K6u0r3N6r3g2U0K9q4)9J5c8X3&6W2N6%4y4Q4x3V1k6F1k6i4c8%4L8%4u0C8i4K6u0r3y4U0p5&6x3U0g2Q4x3X3c8K6L8$3#2W2i4K6u0V1N6s2m8Q4x3X3c8D9K9h3&6C8i4K6u0V1M7X3!0#2N6r3g2J5M7#2)9J5k6s2k6#2L8r3&6W2M7X3q4T1L8r3g2Q4x3X3c8W2P5s2m8D9L8$3W2@1i4K6u0V1k6X3!0#2L8X3c8Q4x3X3c8%4K9h3I4V1i4K6u0r3
373K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3A6S2K9$3!0T1L8r3g2D9L8q4)9J5k6h3y4G2L8g2)9J5c8X3u0D9L8$3N6Q4x3V1j5J5x3o6p5K6i4K6u0r3x3e0m8Q4x3V1j5K6x3q4)9J5c8Y4u0W2j5h3I4Q4x3X3c8%4L8%4u0D9k6q4)9J5k6r3y4K6M7X3k6Q4x3X3c8S2N6s2c8S2j5$3E0Q4x3X3c8Z5K9h3A6S2j5$3E0K6i4K6u0V1k6r3&6K6i4K6u0V1M7$3g2J5N6X3g2J5i4K6u0V1j5$3!0F1k6X3W2Y4N6i4u0S2N6r3W2G2L8W2)9J5k6r3!0X3i4K6u0V1N6s2m8Q4x3X3c8D9K9h3&6C8i4K6u0V1M7X3!0#2N6r3g2J5M7#2)9J5k6o6u0Q4x3V1j5`.
f4bK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3&6W2N6%4y4Q4x3X3g2K6L8$3k6@1M7r3g2V1K9h3q4Q4x3X3g2U0L8$3#2Q4x3V1k6F1k6i4N6K6i4K6u0r3b7%4W2T1k6i4u0U0M7X3W2E0K9h3&6S2L8s2y4Q4x3X3c8q4P5s2m8D9L8$3W2@1i4K6u0V1g2q4m8Q4x3X3c8x3K9h3&6C8i4K6u0V1f1X3!0#2N6r3g2J5i4K6u0V1b7#2y4d9c8W2)9J5k6q4k6#2L8r3&6W2M7X3q4T1K9h3I4A6N6r3W2W2M7#2)9J5k6s2c8G2i4K6u0V1d9r3W2B7j5h3y4C8i4K6u0V1c8p5&6e0i4K6u0V1f1$3g2@1N6r3W2F1k6%4y4Q4x3X3b7K6z5e0f1#2y4o6g2Q4x3X3g2K6K9s2c8E0L8l9`.`.
b89K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6W2P5s2m8D9L8$3W2@1M7#2)9J5k6i4y4Z5L8$3c8S2L8W2)9J5k6h3W2G2i4K6u0r3i4K6y4r3M7g2)9K6c8q4c8b7i4K6u0V1e0r3W2F1K9H3`.`.
960K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6V1k6i4k6W2L8r3!0H3k6i4u0Q4x3X3g2E0L8%4A6A6L8r3I4S2i4K6u0W2L8%4u0Y4i4K6u0r3k6h3&6Q4x3X3c8g2f1#2)9J5c8X3c8G2j5%4y4Q4x3V1k6i4k6h3u0Q4x3V1k6t1g2q4c8b7i4K6u0r3b7X3q4K6K9h3y4Q4y4h3k6S2j5$3y4W2M7%4y4Q4y4h3k6S2N6i4c8Z5k6h3&6@1K9h3y4S2N6r3W2G2L8R3`.`.
c40K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4M7K6M7$3y4Z5L8$3!0D9M7#2)9J5k6h3y4G2L8g2)9J5c8X3S2@1L8h3I4Q4x3V1k6@1M7Y4W2A6N6q4)9J5k6h3q4K6M7q4)9K6c8X3k6A6L8r3g2F1j5h3#2W2i4K6y4p5N6s2u0&6K9s2c8E0L8o6g2Q4y4h3k6%4k6h3u0K6N6r3!0J5j5h3N6W2i4K6g2X3L8r3!0U0j5h3I4Q4y4h3k6U0L8r3W2U0K9$3y4G2N6h3&6@1 本文由 360安全播报 翻译,转载请注明“转自360安全播报”,并附上链接。
原文链接:
6caK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4S2W2P5r3g2^5k6g2)9J5k6h3y4*7i4K6u0r3x3U0l9I4y4g2)9J5c8U0l9J5i4K6u0r3j5Y4u0#2N6r3g2X3L8%4u0U0K9h3&6Y4i4K6u0V1N6s2m8Q4x3X3c8D9K9h3&6C8i4K6u0V1M7X3!0#2N6r3g2J5M7#2)9J5k6s2N6A6N6r3S2Q4x3X3g2Z5N6r3#2D9
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
