Product: CF-WR623N (http://www.comfast.com.cn/index.php?m=content&c=index&a=show&catid=98&id=13)
Description: the URL filters are vulnerable to javascript injection stores through the URL filter fields
The adv_filters_url.htm endpoint is the target of this vulnerability. This endpoint is used to add URL filters to the router. In which the variable SET0 is the location in and we're injecting into which handles the entry of the filter within a table. In our case we want to inject into the second field which is going to be UF2 which maps to 0x0a070202 which in tern is 168231426.
Therefore our command will be CMD=FILTER&GO=home.htm&SET0=168231427=1;0;. When I test in Firefox I personally prefer using Firefox specific payloads such as for testing.
Once the POST request above is submitted, going to Advanced Users > URL Filtering will trigger the alert. Once again. this is fairly useless & impact-less given our situation, and lack of required authentication.
I don't blog a lot so ill share my favorite payload which leverages the movie / video content tags which are never ever filtered.
The payload can be seen below.
<video controls oncanplay="alert()"><source src="http://mirrors.standaloneinstaller.com/video-sample/lion-sample.mp4"></video>
Once the page is refreshed we'll have the audio and video of lion-sample.mp4 within the page.