Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: xml downloading when not allowed

  1. #1
    Junior Member
    Join Date
    Jul 2008
    Posts
    46

    Default xml downloading when not allowed

    on my router (d-link) it sends the pasword to an xml file for verification. i'm trying to bypass my routers authentication by using different methods. i've already figured out other ways, but i'm trying to learn, so i'm trying this way too. does anyone have a tool or a javascript snippit that downloads xml files? or is there just an easy way and i'm retarded? i've been looking at the .js files to get an idea of whats going on, but i think viewing some code thats directed at this specifically will help me more. i've been working on this for a few days now with no luck. i've googled the hell out of it, but i'm probably not using the right key words. can anyone offer any help?

  2. #2

  3. #3
    Junior Member
    Join Date
    Jul 2008
    Posts
    46

    Default

    Quote Originally Posted by cybrsnpr View Post
    nope. doesnt work

    Code:
    wget http://10.1.1.1/post_login.xml
    --2009-04-19 20:24:46--  http://10.1.1.1/post_login.xml
    Connecting to 10.1.1.1:80... connected.
    HTTP request sent, awaiting response... 503 Service Unavailable
    2009-04-19 20:24:46 ERROR 503: Service Unavailable.
    and trying to view it directly in firefox
    Code:
    XML Parsing Error: syntax error
    Location: http://10.1.1.1/post_login.xml
    Line Number 1, Column 1:Service Unavailable
    ^

  4. #4

    Default

    Sorry. Thought it was worth a try.

  5. #5
    Junior Member
    Join Date
    Jul 2008
    Posts
    46

    Default

    Quote Originally Posted by cybrsnpr View Post
    Sorry. Thought it was worth a try.
    yeah, it's what i tried first comming to a forum is my last attempt before grabbing an xml book and spending a week learning how to write in xml, then grabbing a javascript book and learning that. i stopped being a web developer about 8 years ago because i hated it, and trying to find all vulnerabilities in my router is reminding me why

  6. #6
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    I assume you have used some sort of intercepting web proxy (Burp, Paros) to view the HTTP logon transaction to see how it works?

    This will give you an idea of how the username and password are being passed to the XML page (URL parameter, cookie value, form post etc) which you will need to know to mount a proper attack. Using those tools you will also be able to trap and modify requests to see how it works (and breaks).

    Its possible you wont be able to download a useful version of the "code" for the XML file because there is likely some sort of server side scripting going on on the router, and you usually wont be able to get this code by making http requests unless some sort of misconfiguration has been performed.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  7. #7

    Default

    Getting a 503 error is very strange. I would have expected a 403 error instead. Can you pull any other web pages using wget? Also, have you tried to pull your xml page by passing a username & password in your wget request (I know that defeats your purpose, but it would be a useful test)?

  8. #8
    Junior Member
    Join Date
    Jul 2008
    Posts
    46

    Default

    Quote Originally Posted by lupin View Post
    I assume you have used some sort of intercepting web proxy (Burp, Paros) to view the HTTP logon transaction to see how it works?

    This will give you an idea of how the username and password are being passed to the XML page (URL parameter, cookie value, form post etc) which you will need to know to mount a proper attack. Using those tools you will also be able to trap and modify requests to see how it works (and breaks).

    Its possible you wont be able to download a useful version of the "code" for the XML file because there is likely some sort of server side scripting going on on the router, and you usually wont be able to get this code by making http requests unless some sort of misconfiguration has been performed.
    I have captured the transaction. and i am able to straight copy and paste the hash to gain admin rights. I know i cant just download it. but looking at the javascript in the files the index.html page uses (the logon page), it uses a parsing algorithm to grab elements by tag name. i've tried to modify the code to alert() me of the tag names and their contents. but i just dont know javascript well enough. i know if i sat down and went through it line by line and kept track of variables and values i could get further, it's just that is going to take ALOT of time. i'm pretty good at picking up code, so i was looking for someone that had this problem and created a solution already so i can look at the code to get a better understanding.


    Quote Originally Posted by cybrsnpr View Post
    Getting a 503 error is very strange. I would have expected a 403 error instead. Can you pull any other web pages using wget? Also, have you tried to pull your xml page by passing a username & password in your wget request (I know that defeats your purpose, but it would be a useful test)?
    i've pulled the results of passing the correct username and password. it sends the browser a link to the pages that allow for configuring the router. btw you do not need authentication to view these pages, which is a huge flaw in my router.. fun fun.

    so far (if anyone is interested), i have found two security holes in my d-link router. one- if you do a man in the middle attack you can get the http get request for the hash. all you have to do is pass that to the xml file, and bingo you get access. orrrrrrrrrrrr all you need to know is the address of one of the config pages. /status/someting.html (i've forgotten, it's been a few days). and i know if i can get the xml code somehow that would be another hole.

  9. #9
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Hmm OK.

    Maybe try Firebug in Firefox to help with inspection of the Javascript? You could also try using a standalone debugger like Rhino/Spidermonkey although that can get awkward with supporting some of the web specific Javascript commands.

    How is the hash calculated and passed do you know?
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  10. #10
    Junior Member
    Join Date
    Jul 2008
    Posts
    46

    Default

    Quote Originally Posted by lupin View Post
    Hmm OK.

    Maybe try Firebug in Firefox to help with inspection of the Javascript? You could also try using a standalone debugger like Rhino/Spidermonkey although that can get awkward with supporting some of the web specific Javascript commands.

    How is the hash calculated and passed do you know?
    if you want i can copy and paste the code. but basically it padds it then sends it to an md5 function. the send command is basically

    var xml_loader = new ajax_xmlhttp("/post_login.xml?hash=" + login_hash, xml_ready, xml_timeout);

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •