Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: xml downloading when not allowed

  1. #11
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by cgkades View Post
    if you want i can copy and paste the code. but basically it padds it then sends it to an md5 function. the send command is basically

    var xml_loader = new ajax_xmlhttp("/post_login.xml?hash=" + login_hash, xml_ready, xml_timeout);
    Yeah OK, pretty straightforward login process. Have you looked into how it maintains a session once the login is validated? There might also be an opportunity for session hijacking there.

    Edit: Also, have you tried fuzzing of the login form to see the impact of various different values?
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  2. #12
    Junior Member
    Join Date
    Jul 2008
    Posts
    46

    Default

    Quote Originally Posted by lupin View Post
    Yeah OK, pretty straightforward login process. Have you looked into how it maintains a session once the login is validated? There might also be an opportunity for session hijacking there.

    Edit: Also, have you tried fuzzing of the login form to see the impact of various different values?
    there is not maintaining sessions. it just sends the user the correct link. i've completly logged out, and cleared my cache, cookies, auth sessions, EVERYTHING and entered that link and i have access to the pages.

    i'm not sure what fuzzing is... i've only given it known bad hashes to try to see what it does with them. but i dont think thats what you mean

  3. #13
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by cgkades View Post
    there is not maintaining sessions. it just sends the user the correct link. i've completly logged out, and cleared my cache, cookies, auth sessions, EVERYTHING and entered that link and i have access to the pages.

    i'm not sure what fuzzing is... i've only give it known bad hashes to try to see what it does with them. but i dont think thats what you mean
    Does it maintain state at all after login? So for example you login to the router, and after login you presumably go to some other admin pages in the router to change various router settings. Does it confirm somehow that the browser that logged in on the login page is the same browser that is now accessing those other configuration pages? So basically does it maintain track of who you after after you have logged in?

    For example, can you close and reopen your browser, clear cookies, etc, and then immediately go to one of the pages that is normally accessed after the login screen?

    Fuzzing is basically throwing lots of bad values at an application to see how it reacts and if you can cause it to crash. So its what you were doing by passing bad hashes, only faster. SPIKE Proxy is one fairly well known web fuzzer.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  4. #14
    Junior Member
    Join Date
    Jul 2008
    Posts
    46

    Default

    Quote Originally Posted by cgkades View Post
    i've completly logged out, and cleared my cache, cookies, auth sessions, EVERYTHING and entered that link and i have access to the pages.
    Quote Originally Posted by lupin View Post
    For example, can you close and reopen your browser, clear cookies, etc, and then immediately go to one of the pages that is normally accessed after the login screen?
    there is not tracking of who the user is. all it seems to do is hide the config pages from the user using the xml page. so thats why i'm so currious about getting the information stored in it.

  5. #15
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by cgkades View Post
    there is not tracking of who the user is. all it seems to do is hide the config pages from the user using the xml page. so thats why i'm so currious about getting the information stored in it.
    So the one XML page entered in the browser allows you to login and do all configuration changes? Do you pass the function you want to perform as a parameter to the XML page or something, with the hash passed also to authenticate you e.g. something like

    This for DHCP
    http://ipaddress/XML?page=DHCP&hash=blah

    And this for PortForwarding (as an example only)
    http://ipaddress/XML?page=PortForward&hash=blah

    Or does it use different pages for different functions, but just pass the authentication hash as a parameter with every page request?

    If it does work like this, fuzzing of URL parameters would be a useful way to proceed in lieu of having the page source...
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  6. #16
    Junior Member
    Join Date
    Jul 2008
    Posts
    46

    Default

    the xml page is only for authentacation. if the correct hash is sent to it, it returns a link to the config pages. the only thing that gets sent to the xml from the "address bar" is the hash=2342342344335643. there is some javascript that reads the xml document and parses it. i'm just going to have to go through line by line with a note pad and see whats going on

  7. #17
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by cgkades View Post
    the xml page is only for authentacation. if the correct hash is sent to it, it returns a link to the config pages. the only thing that gets sent to the xml from the "address bar" is the hash=2342342344335643. there is some javascript that reads the xml document and parses it. i'm just going to have to go through line by line with a note pad and see whats going on
    So you can get right to the config pages by just knowing their URLs? The login XML page only protects the configuration by "hiding" the config URLs? Boy, that sucks.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  8. #18
    Junior Member
    Join Date
    Jul 2008
    Posts
    46

    Default

    Quote Originally Posted by lupin View Post
    So you can get right to the config pages by just knowing their URLs? The login XML page only protects the configuration by "hiding" the config URLs? Boy, that sucks.
    yup, you got it. it's strange

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •