xml downloading when not allowed

[cgkades]

on my router (d-link) it sends the pasword to an xml file for verification. i'm trying to bypass my routers authentication by using different methods. i've already figured out other ways, but i'm trying to learn, so i'm trying this way too. does anyone have a tool or a javascript snippit that downloads xml files? or is there just an easy way and i'm retarded? i've been looking at the .js files to get an idea of whats going on, but i think viewing some code thats directed at this specifically will help me more. i've been working on this for a few days now with no luck. i've googled the hell out of it, but i'm probably not using the right key words. can anyone offer any help?

[imported_cybrsnpr]

wget http://targetip/foofolder/blah.xml

[cgkades]

wget http://targetip/foofolder/blah.xml

nope. doesnt work

Code:

wget http://10.1.1.1/post_login.xml
--2009-04-19 20:24:46--  http://10.1.1.1/post_login.xml
Connecting to 10.1.1.1:80... connected.
HTTP request sent, awaiting response... 503 Service Unavailable
2009-04-19 20:24:46 ERROR 503: Service Unavailable.

and trying to view it directly in firefox

Code:

XML Parsing Error: syntax error
Location: http://10.1.1.1/post_login.xml
Line Number 1, Column 1:Service Unavailable
^

[imported_cybrsnpr]

Sorry. Thought it was worth a try.

[cgkades]

Sorry. Thought it was worth a try.

yeah, it's what i tried first comming to a forum is my last attempt before grabbing an xml book and spending a week learning how to write in xml, then grabbing a javascript book and learning that. i stopped being a web developer about 8 years ago because i hated it, and trying to find all vulnerabilities in my router is reminding me why

[lupin]

I assume you have used some sort of intercepting web proxy (Burp, Paros) to view the HTTP logon transaction to see how it works?

This will give you an idea of how the username and password are being passed to the XML page (URL parameter, cookie value, form post etc) which you will need to know to mount a proper attack. Using those tools you will also be able to trap and modify requests to see how it works (and breaks).

Its possible you wont be able to download a useful version of the "code" for the XML file because there is likely some sort of server side scripting going on on the router, and you usually wont be able to get this code by making http requests unless some sort of misconfiguration has been performed.

[imported_cybrsnpr]

Getting a 503 error is very strange. I would have expected a 403 error instead. Can you pull any other web pages using wget? Also, have you tried to pull your xml page by passing a username & password in your wget request (I know that defeats your purpose, but it would be a useful test)?

[cgkades]

I assume you have used some sort of intercepting web proxy (Burp, Paros) to view the HTTP logon transaction to see how it works?

This will give you an idea of how the username and password are being passed to the XML page (URL parameter, cookie value, form post etc) which you will need to know to mount a proper attack. Using those tools you will also be able to trap and modify requests to see how it works (and breaks).

Its possible you wont be able to download a useful version of the "code" for the XML file because there is likely some sort of server side scripting going on on the router, and you usually wont be able to get this code by making http requests unless some sort of misconfiguration has been performed.

I have captured the transaction. and i am able to straight copy and paste the hash to gain admin rights. I know i cant just download it. but looking at the javascript in the files the index.html page uses (the logon page), it uses a parsing algorithm to grab elements by tag name. i've tried to modify the code to alert() me of the tag names and their contents. but i just dont know javascript well enough. i know if i sat down and went through it line by line and kept track of variables and values i could get further, it's just that is going to take ALOT of time. i'm pretty good at picking up code, so i was looking for someone that had this problem and created a solution already so i can look at the code to get a better understanding.

Getting a 503 error is very strange. I would have expected a 403 error instead. Can you pull any other web pages using wget? Also, have you tried to pull your xml page by passing a username & password in your wget request (I know that defeats your purpose, but it would be a useful test)?

i've pulled the results of passing the correct username and password. it sends the browser a link to the pages that allow for configuring the router. btw you do not need authentication to view these pages, which is a huge flaw in my router.. fun fun.

so far (if anyone is interested), i have found two security holes in my d-link router. one- if you do a man in the middle attack you can get the http get request for the hash. all you have to do is pass that to the xml file, and bingo you get access. orrrrrrrrrrrr all you need to know is the address of one of the config pages. /status/someting.html (i've forgotten, it's been a few days). and i know if i can get the xml code somehow that would be another hole.

[lupin]

Hmm OK.

Maybe try Firebug in Firefox to help with inspection of the Javascript? You could also try using a standalone debugger like Rhino/Spidermonkey although that can get awkward with supporting some of the web specific Javascript commands.

How is the hash calculated and passed do you know?

[cgkades]

Hmm OK.

Maybe try Firebug in Firefox to help with inspection of the Javascript? You could also try using a standalone debugger like Rhino/Spidermonkey although that can get awkward with supporting some of the web specific Javascript commands.

How is the hash calculated and passed do you know?

if you want i can copy and paste the code. but basically it padds it then sends it to an md5 function. the send command is basically

var xml_loader = new ajax_xmlhttp("/post_login.xml?hash=" + login_hash, xml_ready, xml_timeout);