简体繁体 English

编译并运行Exploit-DB代码

[英]Compiling and running Exploit-DB code

原文 2015-03-04 11:08:05 8 2 javascript/ exploit

I found this exploit on exploit-db, and it matches my router version. 我在exploit-db上发现了这个漏洞，它与我的路由器版本匹配。 I'm somewhat a n00b, and I wanted to know if anyone knew how to use this exploit to exploit a router. 我有点像n00b，我想知道是否有人知道如何使用此漏洞利用路由器。 Or rather, how to compile and execute this exploit. 或者更确切地说，如何编译和执行此漏洞利用。

I've done an exhaustive search, and still couldn't find a way. 我已经进行了详尽的搜索，但仍然找不到方法。

http://www.exploit-db.com/exploits/35325/ http://www.exploit-db.com/exploits/35325/

Thanks. 谢谢。 PS- This language, is I'm not wrong, is javascript right? PS-这种语言，我没看错，javascript对吗？ So how do I compile and run this exploit? 那么，如何编译和运行此漏洞利用程序？

2 个解决方案

These are just HTTP GET methods : The router seems to suffer from remote directory traversal (you're not supposed to access parent directories from a URL, using ../ ). 这些只是HTTP GET方法：路由器似乎遭受远程目录遍历的困扰（您不应使用../从URL访问父目录）。

You can do that with anything that can do HTTP requests (browsers, tools, most programming languages, etc.). 您可以使用任何可以进行HTTP请求的功能（浏览器，工具，大多数编程语言等）来执行此操作。 In the "exploit", Mozilla Firefox browser was used. 在“漏洞利用”中，使用了Mozilla Firefox浏览器。 Just go to this URL, it's simple as that! 只需转到该URL，就这么简单！

This exploit is 12 years old, and I would be suprised if it still wouldn't be fixed. 该漏洞利用已有12年的历史，如果仍然无法解决，我将感到惊讶。 Also the list DOESN'T contain ANY javascript , and doesn't tell you the exact way to exploit the weakness, however you can read description as it says: 此外，列表不包含任何javascript ，并且没有告诉您利用该弱点的确切方法，但是您可以阅读说明，内容如下：

The router suffers from an authenticated file inclusion vulnerability (LFI) when input passed thru the 'getpage' parameter to 'webproc' script is not properly verified before being used to include files. 当通过“ getproc”参数传递给“ webproc”脚本的输入传递的路由器在用于包含文件之前未得到正确验证时，将遭受经过身份验证的文件包含漏洞（LFI）。 This can be exploited to include files from local resources with directory traversal attacks. 可以利用它来利用目录遍历攻击将本地资源中的文件包括在内。