Web vulnerabilities for wireless routers

1. XSS Vulnerability

2. CSRF Vulnerability

This type of attack can be implemented in a variety of ways, with the exception of a rogue server and the use of a hyperlink trap. The so-called hyperlink trap refers to forging a trusted link or address, but the actual address contains a request to modify the parameters of the wireless router.

If the user is currently successfully logged into the wireless router device, or if there is currently an online administrator session, once the user clicks access to the hyperlink address, the above parameter request operation is performed immediately, and if the page is written with hidden conditions, the wireless router will be directly modified without prompting.

3. DHCP XSS attack

Although this attack is rarely a fully effective XSS attack on most routers, this is primarily because any interaction with the operation of the network interface must be done after the user has successfully authenticated and gained access to the router.

It is now possible to implement the DHCP request via the network interface, which is explained in the following principle:

Most wireless routers display the list of connected clients, along with their associated host names, in the DHCP assignment information in the management interface. The list of display host names is derived from the DHCP request packet, which is sent by the client to the router (because the router also acts as a DHCP server). Then, since the request for an IP address does not require authentication, any user who has access to the local network can execute, through its host name, you can put the javascript/html code on the Management page for the purpose of the attack.

Scapy can send a DHCPREQUEST packet to the router, specify a host name such as '), alert (' XSS ');//, which not only allows the JavaScript to manage the page, but also causes the display of the host list to fail.

In Linksys home routers, D-link routers, etc. may exist.

4. config file leak attack

The configuration file can be downloaded without verification.

The Linksys wireless router is configured for Config.bin. If the WAN configuration of the wireless router is set to PPPoE, it will be displayed as an asterisk at the account and password for direct access to the Linksys Wireless router management interface attack through a MITM man-in-the-middle attack or a session hijacking attack.

Many models of wireless routers are not even able to view the source code to obtain the plaintext of these asterisk passwords. However, it is possible to download the config file to a local analysis and see the problem.

5. config file replacement attack

The principle of replacing attacks as config files is simple, equivalent to restoring a backup file under normal circumstances. As an attacker, once you have the opportunity to log on to the router, such as using the wireless router session hijacking vulnerability, get the Administrator Configuration page. However, because the original administrator password is not known at this time, and because of some of the reasons mentioned above, the attacker could not parse out the password plaintext from the download config file, so they will consider making a config for themselves to replace the original configuration.

1, learn the specific model of wireless router

2. Use the session hijacking attack to get the Administrator Configuration page

3. View all current configuration of the wireless router and record

4. Configure the Router sample immediately and export the config file

5, on the target router will make a good config file import

6, malicious super long character login no response vulnerability

An attacker constructs an account name and password that exceeds the length of its design definition, which could cause the wireless device to be busy processing for a long time without responding or restarting.

Web vulnerabilities for wireless routers