header-logo
Suggest Exploit
vendor:
DI-524
by:
Semen Alexandrovich Lyhin
4.8
CVSS
MEDIUM
Stored and Reflected XSS
79
CWE
Product Name: DI-524
Affected Version From: V2.06RU
Affected Version To: V2.06RU
Patch Exists: YES
Related CWE: CVE-2019-11017
CPE: h:d-link:di-524
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: None
2019

Multiple Stored and Reflected XSS vulnerabilities in D-Link DI-524

To re-create Reflected XSS vulnerability, log in to the Web Configuration (default credentials are: "admin":"" without double quotes), and send GET request to the router with malformed vulnerable parameter: http://$IP/cgi-bin/smap?RC=@smap%22-$PAYLOAD-%22&rd=x&SEO=o&AC=O&SnO=1&SHO=2&StO=1&SpO=1&SPO=1 Where $IP may be equal to "192.168.0.1", $PAYLOAD may be equal to "alert(document.location)". Stored XSS's were found in web forms on pages /spap.htm, /smap.htm. To inject malicious JavaScript to victim's webpage, an attacker should authorize on the router, then put a payload to any of the vulnerable forms, and wait, until victim opens router's web interface and goes to vulnerable page.

Mitigation:

Ensure that user input is properly validated and sanitized before being used in web applications.
Source

Exploit-DB raw data:

# Exploit Title: Multiple Stored and Reflected XSS vulnerabilities in D-Link DI-524
# Date: April 6, 2019
# Exploit Author: Semen Alexandrovich Lyhin (https://www.linkedin.com/in/semenlyhin/)
# Vendor Homepage: https://www.dlink.com
# Version: D-Link DI-524 - V2.06RU
# CVE : CVE-2019-11017 

To re-create Reflected XSS vulnerability, log in to the Web Configuration (default credentials are: "admin":"" without double quotes), and send GET request to the router with malformed vulnerable parameter:

http://$IP/cgi-bin/smap?RC=@smap%22-$PAYLOAD-%22&rd=x&SEO=o&AC=O&SnO=1&SHO=2&StO=1&SpO=1&SPO=1

Where $IP may be equal to "192.168.0.1", $PAYLOAD may be equal to "alert(document.location)".

Stored XSS's were found in web forms on pages /spap.htm, /smap.htm. To inject malicious JavaScript to victim's webpage, an attacker should authorize on the router, then put a payload to any of the vulnerable forms, and wait, until victim opens router's web interface and goes to vulnerable page.

I haven't tested all the admin panel of the router, so I can guess that there are other XSS vulnerabilities in this router.

Navigation

Suggest Exploit

Services By CQR