I’m writing about a stored XSS which I found on Unifi controller v4.8.12I’m writing about multiple vulnerabilities which have been found while testing for private program. I would like to thanks dlitchfield for the xss and SQLI.
After the enumeration I got to know that xyz.com is using Oracle EBS so I’ve found multiple vulnerabilities in that.
It was observed that page biccfgd2.jsp is vulnerable to SQL injection, which may lead to application compromise. An attacker may add, modify and delete data of application.
An attacker may perform wide range of attacks that can be delivered via SQL injection, including reading or modifying critical application data and interfering with application logic. Further this vulnerability can be exploited to escalate privileges.
I setup the Netcat and run the following query:
As can be seen a http request was made from the vulnerable server to our attacking machine.
It was observed that the current installation of WFMs is vulnerable to XML External Entity attack AKA XXE, which may lead to sensitive information disclosure and data exfiltration as well as Server Side Request Forgery.
An attacker may perform wide range of attacks such as reading system local files containing sensitive information or use the server as a proxy to perform further attacks such as port scan and exploit other nodes on the same network.
Setup netcat listener, login with SOCSupervisor user and go to the following link:
After modifying the request
As can been seen a request has been initiated from the server to our attacking machine
It was observed that the ip parameter of printers.php page is vulnerable to cross site scripting attack. Cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application’s immediate response in an unsafe way.
Thanks for reading above vulnerabilities and hope that these were useful. 🙂