CVE-2021-45026 PoC — ASG technologies ASG-Zena Cross Platform Server Enterprise Edition 跨站脚本漏洞

Source

Associated Vulnerability

Readme

# Zena - Stored XSS to RCE Exploit POC

**Exploit POC for Rocket Software's Zena application v. 4.2.1 - Stored XSS to RCE**

[CVE-2021-45025](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45025)

[CVE-2021-45026](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45026)

[https://phoenix-sec.io/2022/06/17/Zena-CookieMonsteRCE.html](https://phoenix-sec.io/2022/06/17/Zena-CookieMonsteRCE.html)

**Credits:** James Barnett and Jeff Green

POC Process:
- Logs into Zena's webconfig page using default credentials
- Drops Stored XSS payload
- Payload needs to be triggered by someone navigating to the webconfig page
- Triggered payload uses REST API backend of Zena to find an agent and build a Task for that agent
- Task is then triggered for agent thus executing the specified command

**To Run:**
- python CookieMonster.py <hostname/ip> <TLS/SSL - True or False> <cmd.exe command>
  - **Example: python3 CookieMonster.py 127.0.0.1 False "/c whoami > c:/out.txt"**

File Snapshot

 [4.0K]  /data/pocs/f29c1673def8b672a57bbc7f464715e8be591361
├── [3.9K]  CookieMonster.py
├── [6.3K]  payload-js.txt
└── [ 982]  README.md

0 directories, 3 files

Remarks