.png)
9 months ago
74 BOOK THIS SPACE FOR AD
ARTICLE AD
If you are new here, I am deadoverflow and I post security write up’s as well as other educational content for free so a follow here or on Instagram or a subscribe on YouTube would be highly appreciated as I tend to upload some stuff there as well.
I discovered that my router has a hidden feature which allows me to scan, from the router, what are the nearby networks and display them.
So my first thought was to turn on the hotspot on my phone to see if the router would load it here, and sure enough, he did.
Now my idea is to try and store a basic XSS payload as a name of my hotspot and that’s what I did.
When I loaded the radar functionality again on my router’s web interface I was greeted with an alert(1) being called.
This right now is still far from being a vulnerability even though it is actually XSS since there is no way to exploit this, right? Well, let me explain now how I leveraged this into a powerful vulnerability.
First problem now is how can I make victim actually visit this radar page since the router’s web interface was protected with a login screen.
However default password and username for this router is:
Username: user
Password: user
People tend not to change the default credentials since it’s not quite accessible to anyone on the internet but the people already connected to their network. The way that this router handles authentication is really not secure and an attacker can just embed the credentials into a URL while access the web interface like this:
If I now visit, http://user:user@192.168.1.1, I will immediately be logged in to the router’s web interface.
Now the problem is, this logs in the user who visits the link but this will not take the user to the radar page right away, the user has to click “radar” on the side panel.
I opened the Chrome Developer tools and noticed that radar functionality is just a file that gets loaded into an iframe on http://192.168.1.1
Therefore, I can send the victim this link: http://user:user@192.168.1.1/wlvis/visindex.asp, and be close to their house to turn on hotspot with malicious JS and once the victim visits the link I can take their password.
There is still a problem, storing an exploit in just 32 characters, so I will leave that for the next part!
If you have any questions, you can reach out to me via email ihusanovic3@gmail.com or on Instagram @dead0verflow https://instagram.com/dead0verflow
I will be trying to answer any questions you may have since I get a lot of them!
Bengali (Bangladesh) · 
English (United States) ·