background
Tenda wireless router used in dormitory in university is always maintained by me. I think it's necessary for everyone to manage their own wireless router easily. So I set up the design and development of Tenda wireless router management software based on A ndroid platform, and made an A for Tenda wireless router. Ndroid App.
As it happens, SegmentFault has recently been registered. The homepage often says, "Do you have any open source projects or works?" Reminder, I have not contributed to any open source projects, but the reminder has been in, still can not shut down, which annoying ah. Then I thought, if we don't open source Bishi's App, we might be able to help some students. But the code is two years ago, based on Eclipse, now is AS, so first refactor it. But now we use the BLink router for broadband transmission, which can only be reanalyzed.
Re-analysis of the time found that the goods login problems ah, the account password is exposed ah!!!
Login Analysis
Let's analyze it step by step. Enter IE to open the developer's tool. Enter the management address of BLink in the address bar: 192.168.16.1. Enter the login page as follows:
The login interface is very routine, and there's nothing special to say.
We right-click on the login interface and select "View Source" to see some of the source code of the login interface. We look directly at the javascript section:
<script language=JavaScript> if(top!=self)top.location.href =top.location.href; addCfg('username',0x010b0200,'nimda'); addCfg('password',0x01010200,'nimda');
WTF??? What's this addCfg? Why is it with a username password, but also the router login password I set up!!! So "humanized", but also afraid that users forget the login password, directly put the user name password into the source code of login???
Let's first look at the Cancel button:
<input type="button" value="cancel" onmouseover="change_over(this);" onmouseout="change_out(this);" name="cancel_button" class="button1" onClick="Cancel()">
When you click Cancel, the following js code will be called:
function Cancel() { document.frm.username.value=""; document.frm.password.value=""; document.getElementById("username").focus(); }
That is, when you click, empty the username password box.
Let's move on to the Login button:
<input type="button" value="Sign in" onmouseover="change_over(this);" onmouseout="change_out(this);" name="entry_button" class="button1" onClick="sumbit()">
The following js code is called when the click is obvious:
function sumbit() { var f=document.frm; var username=f.username.value; var password=f.password.value; if(f.username.value=="") { alert("User name is empty"); f.username.focus(); return false; } if(false == checklogin(f.username.value,f.password.value)) { alert("Error in username or password"); f.username.focus(); return false; } form2Cfg(f); // alert("cPage="+cPage);//tianshaoxian subForm(f,'setup.htm','login',cPage); }
This code is very routine, that is to get the user's input username password, and then determine whether the username is empty (curious why no longer judge whether the password is empty), and then call the checklogin method to check the correctness of the username password. Then comes the form2Cfg method, which I guess might be the way to save the correct form to the configuration file. Next comes the subForm method. From the method name and parameters, guess may be the jump action after the successful login.
Let's first look at the checklogin method:
function checklogin(name,password) { var m_username = "nimda"; var m_password = "nimda"; if(name!=m_username || password!=m_password) return false; else return true; }
WTF!!!! Once again, my username password has been exposed naked in the source code of the login interface. From this logic, this login authentication is only based on browser authentication!!! Verify directly in the browser and then enter the router management interface, really nobody!!!
Let's look at the if-else statement again. It's very uncomfortable. We can simply rewrite this code as follows:
function checklogin(name,password) { var m_username = "nimda"; var m_password = "nimda"; return name == m_username && password == m_password; }
There is no change in logic, but the code is more concise and clear. As a programmer ape, I seriously doubt that this code was written overtime.
Next are the form2Cfg and subForm methods:
function Cfg(i,n,v) { this.i=i; this.n=n; this.v=this.o=v; } var CA = new Array() ; function addCfg(n,i,v) { CA.length++; CA[CA.length-1]= new Cfg(i,n,v); } function form2Cfg(f) { for (var i=0;i<CA.length;i++) { var e=eval('f.'+CA[i].n); if ( e ) { if (e.disabled) continue; if ( e.length && e[0].type=='text' ) { if (e.length==4) CA[i].v=combinIP2(e); else if (e.length==6) CA[i].v=combinMAC2(e); } else if ( e.length && e[0].type=='radio') { for (var j=0;j<e.length;j++) if (e[j].checked) { CA[i].v=e[j].value; break; } } else if (e.type=='checkbox') setCfg(e.name, Number(e.checked) ); else setCfg(e.name, e.value); } } } function subForm(f1,a,d,g) { // alert("g="+g);//tianshaoxian if(g == "login.htm") { var msg=genForm_login('OUT',f1,a,d,g); //alert("msg="+msg);//tianshaoxian } else var msg=genForm('OUT',a,d,g); var newElem = document.createElement("div"); newElem.innerHTML = msg ; f1.parentNode.appendChild(newElem); f=document.OUT; f.submit(); }
I won't explain much here. > PS: My js are learning while looking while climbing the web pages. I don't know much about them. The above two methods can't understand and don't talk nonsense.
Crack login validation, bypass login interface
As mentioned above, user name validation is browser-based, and it only needs browser validation to go directly to the router management interface. So can we bypass login validation?
We first enter the user name and password according to the normal process, then click on login, and then we can see the following data packet exchange situation:
Is the Yellow marking familiar? It's not the parameters in the subForm that I saw when I analyzed the code above, which proves that my previous conjecture is correct. The subForm(f,'setup.htm','login',cPage) method is a jump action after the login validation action.
Now that we've said that login validation is done on the browser side, what if I pretend that I've already validated it?
Next, I tried to avoid the influence of cookies information left by normal login. I switched to 360 Extreme Speed Browser and built a new invisible window to open the setup.htm interface directly: No mistake, go straight in!!! Next we can do something unpleasant...
So far, it is a simple crack of the login process, and bypass the login, directly into the management interface.
Finally, I couldn't help tucking up again. I climbed the website of several systems in my school before I finished the design. I saw that the most low check is just checking the verification code on the browser. This is the first time that the user name password is sent to the browser to check it. It's really nobody.
Router Model Description
Of course, this router was broadband delivered in 15 years. It's been a long time.
Machine model: BL-845R;
Software version number: WRF 2414.20.6.1z;
I haven't updated the software either. Maybe later the manufacturer has repaired it, or maybe it still exists. This is waiting for you to discover.
Copyright Statement
This article is original for me, and all rights reserved!
No reprinting without permission!
> This article links to SegmentFault:
BLink Wireless Router Logon Vulnerability