Friday, 24 June 2016

/////ZTE MF65 -- local file listing method 3(LFLM )The Full Package /////

/////ZTE MF65 -- local file listing method 3(LFLM )The Full Package /////

another super quick one for a even better listing in the web application with the ability to change your path via the sd card settings, we use the exploit from last time to gain a web app access to the web folder, this time though we have a little bit more work to do, so here we go from the start :


POST /goform/goform_set_cmd_process HTTP/1.1
Host: 192.168.0.1

isTest=false&goformId=HTTPSHARE_AUTH_SET
&HTTP_SHARE_STATUS=Enabled
&HTTP_SHARE_WR_AUTH=readWrite
&HTTP_SHARE_FILE=..%2Fweb%2F


using the HTTP_SHARE_FILE= param we can change the displayed folders in the sd card manager,
you will need to be logged in for this method.

so your work flow is:
  1. login
  2. send request to change path 
  3. logout
use the httpguest button to see the files

now we will navigate to web/js/config/ then we will download the config.js file and change the line :

 SD_BASE_PATH: /mmc2/

to

 SD_BASE_PATH: /

and reupload it as what ever name you would like i did config.js.1
 and then rename the original config.js then rename the new config to replace the old one, i wouldnt screw around for too long though as not having the config file may mess things up, now refresh your page and check you sd card settings page to see our changes,

 here i must

Warn againest changes of //web/js/config/config.js
Line : SD_BASE_PATH: /mmc2/
 
Againest any directory transverals. in any sense or method as they will not work...

any changes to this path that will reflect as " "(an empty path) will render the online sd functions unusable and returning to normal operation at this point is not available via the methods we can employ.. (we need telnet)

so dont upload the file with  /mmc2/../ or anything like that,

till next time,
shoot straight,
FrankSxx

No comments:

Post a Comment