本篇文章以路由器固件相关漏洞来演示,从0到1分享经验。
本地虚拟机搭建ubuntu 16.04
ubuntu iso下载地址:http://mirrors.aliyun.com/ubuntu-releases/
安装完,给root用户新增个密码
sudo passwd root
切换到root用户
su root
修改阿里云镜像:
vi /etc/apt/sources.list
打开文件不要做任何操作,直接输入 ggdG 清空当前文件内容,注意 G 是大写
ggdG
然后粘贴以下内容
#deb cdrom:[Ubuntu 16.04 LTS Xenial Xerus - Release amd64 (20160420.1)]/ xenial main restricted deb-src
http://archive.ubuntu.com/ubuntu xenial main restricted #Added by
software-properties deb http://mirrors.aliyun.com/ubuntu/ xenial main
restricted deb-src http://mirrors.aliyun.com/ubuntu/ xenial main
restricted multiverse universe #Added by software-properties deb
http://mirrors.aliyun.com/ubuntu/ xenial-updates main restricted
deb-src http://mirrors.aliyun.com/ubuntu/ xenial-updates main
restricted multiverse universe #Added by software-properties deb
http://mirrors.aliyun.com/ubuntu/ xenial universe deb
http://mirrors.aliyun.com/ubuntu/ xenial-updates universe deb
http://mirrors.aliyun.com/ubuntu/ xenial multiverse deb
http://mirrors.aliyun.com/ubuntu/ xenial-updates multiverse deb
http://mirrors.aliyun.com/ubuntu/ xenial-backports main restricted
universe multiverse deb-src http://mirrors.aliyun.com/ubuntu/
xenial-backports main restricted universe multiverse #Added by
software-properties deb http://archive.canonical.com/ubuntu xenial
partner deb-src http://archive.canonical.com/ubuntu xenial partner deb
http://mirrors.aliyun.com/ubuntu/ xenial-security main restricted
deb-src http://mirrors.aliyun.com/ubuntu/ xenial-security main
restricted multiverse universe #Added by software-properties deb
http://mirrors.aliyun.com/ubuntu/ xenial-security universe deb
http://mirrors.aliyun.com/ubuntu/ xenial-security multiverse
更新镜像源(注意不同版本的镜像源是不一样的)
sudo apt-get update
安装python3.7
因为ubuntu 16.04带的python是3.5的,而 Binwalk 要求3.6以上。
sudo add-apt-repository ppa:deadsnakes/ppa sudo apt-get update sudo
apt-get install python3.7
修改apt指定的python3
sudo update-alternatives --install /usr/bin/python3 python3
/usr/bin/python3.5 1 sudo update-alternatives --install
/usr/bin/python3 python3 /usr/bin/python3.7 2
update-alternatives命令可以修改系统默认命令的软链指向,通过以下命令,可以切换Python3的指向
sudo update-alternatives --config python3
查看一下是否安装成功:
检测版本:
python3 -V
安装binwalk(也可翻到后文直接使用自动化工具《自动安装binwalk》)
git clone https://github.com/ReFirmLabs/binwalk.git cd binwalk sudo
./deps.sh sudo python3 setup.py install
安装unzip
apt install unzip
解压缩固件
unzip DLink_DIR645_A1_FW102B08.zip
如上图,可以看到成功解包
DIR-645信息泄露
比如,这里是DIR645的固件包,我们直接去看web目录下的 getcfg.php文件
HTTP/1.1 200 OK
Content-Type: text/xml
<?echo "<?";?>xml version="1.0" encoding="utf-8"<?echo "?>";?>
<postxml>
<? include "/htdocs/phplib/trace.php";
if ($_POST["CACHE"] == "true")
{
echo dump(1, "/runtime/session/".$SESSION_UID."/postxml");
}
else
{
/* cut_count() will return 0 when no or only one token. */
$SERVICE_COUNT = cut_count($_POST["SERVICES"], ","