Netgear R7000 – Cross-Site Scripting

Exploit Database
33 阅读

作者： Vincent Yiu

日期： 2016-12-11
类别：
- webapps
平台：
- hardware
来源：https://www.exploit-db.com/exploits/40898/

# Exploit Title: Netgear R7000 - XSS via. DHCP hostname
# Date: 11-12-2016
# Exploit Author: Vincent Yiu
# Contact: https://twitter.com/vysecurity
# Vendor Homepage: https://www.netgear.com/
# Category: Hardware / WebApp
# Version: V1.0.7.2_1.1.93 + LATEST to date
 
-Vulnerability
An user who has access to send DHCP via either VPN or Wireless connection can serve a host name with script tags to trigger XSS.

Could be potentially used to connect to open or guest WIFI hotspot and inject stored XSS into admin panel and steal cookie for authentication.

http://RouterIP/start.htm

Then visit the "view who's connected" page.
 
-Proof Of Concept
Set /etc/dhcp/dhclient.conf

send host-name "<script>alert('xss')</script>";

last Exploits
Netgear R7000 – Cross-Site Scripting的更多信息

Nuts CMS – PHP Remote Code Injection / Execution：
Google Urchin 5.7.03 – Local File Inclusion：
Joomla! Component com_wgpicasa – Local File Inclusion：
Joomla! Component Music Collection 3.0.3 – SQL Injection：
Joomla! Component Fastball 2.5 – ‘season’ SQL Injection：
Web Ofisi Platinum E-Ticaret 5 – ‘q’ SQL Injection：
WordPress Plugin Localize My Post 1.0 – Local File Inclusion：
Tiki Wiki CMS Groupware 8.2 – ‘snarf_ajax.php’ Remote PHP Code Injection：