Headline
CVE-2023-34856: Stored Cross-Site Scripting (XSS) Vulnerability in 友讯电子设备(上海) D-Link Routing Management Page Version: DI-7500G-CI-19.05.29A1 · Issue #2 · hashshfza/Vulnerability
A Cross Site Scripting (XSS) vulnerability in D-Link DI-7500G-CI-19.05.29A allows attackers to execute arbitrary code via uploading a crafted HTML file to the interface /auth_pic.cgi.
- Search vulnerable products on internet
Go to https://hunter.qianxin.com/, and use this syntax to search potential vulnerable products existing on internet:web.body="<title id="login_title">D-Link路由器管理页</title>"
A list of vulnerable targets are as follows:
http://59.173.74.242:88/
http://183.195.116.54:8888/
http://125.119.243.164:8888/
http://222.160.124.147:8081/
http://58.49.36.134:88/
http://59.173.75.201:88/
http://39.175.53.231:9000/
http://222.160.127.22:8081/
http://221.232.194.41:88/
http://120.196.58.120:88/
http://221.232.195.128:88/
- Login with default credential
The default credential is admin : admin
Login successful.
- Upload your payloads
Firstly, click on "认证管理",
Secondly, click on "认证页面管理",
Then, we click to browse the file and need to upload a file with the suffix ". jpg", ". png", or “. gif” ,
Finally, click on upload and we will use BurpSuite to intercept
We need to change the suffix “. png” marked in the figure to “. html” and then send out the request package,
Finally, we can trigger by clicking on this link
It is important that victims can access this url without login in.