Skip to content

Instantly share code, notes, and snippets.

@james-otten
Last active Dec 15, 2020
Embed
What would you like to do?
SolarWinds Database Performance Analyzer Various XSS

SolarWinds Database Performance Analyzer Various XSS CVE-2018-16243

James Otten 8/30/2018

All items tested in versions 11.1.468 and 12.0.3074.

logViewer.iwc

Instance 1

  • As a low privileged read only user, navigate to /iwc/reports.iwc?repo_id=1&db_id=&filterDbId=<svg/onload=alert(/error_log/)>&type=&pm=P
  • As a privileged user, go to /iwc/logViewer.iwc and view the contents of the iwc or error log.
  • XSS experienced.

Instance 2

  • As a privileged user, navigate to /iwc/userAdministration.iwc?action=3&addType=0&pm=P and try to add a user with the name <img src=x onerror=alert(\add_user\)>
  • As a privileged user, go to /iwc/logViewer.iwc and view the contents of the iwc or error log.
  • XSS experienced.

There are several other ways to get XSS on /iwc/logViewer.iwc

centralManage.cen

Instance 1

  • As a privileged user, go to /iwc/centralManage.cen.
  • Add a server.
  • For "Notes" use <img src=x onerror=alert(/notes/)>.
  • After saving, click notes for the server you added.
  • XSS experienced.

Instance 2

  • As a privileged user, go to /iwc/centralManage.cen.
  • Add a server.
  • For "Display Name" use "onmouseover=alert(/1/)//.
  • For "Server Name" use "onmouseover=alert(/2/)//.
  • For "Notes" use "AAAA".
  • After saving, mouse over the notes for the server you added.
  • XSS experienced.
  • Edit the server you added.
  • Mouse over the "Display Name" textbox.
  • XSS experienced.
  • Mouse over the "Server Name" textbox.
  • XSS experienced.

userAdministration.iwc

  • As a privileged user, go to /iwc/userAdministration.iwc?action=1&pm=P.
  • Add a user.
  • For "Name" use <input/autofocus/onfocus=alert(1)>.
  • After saving, delete the user.
  • XSS experienced.

database.iwc

Instance 1

  • As a privileged user, go to /iwc/customMetrics.iwc?pm=P.
  • Add a custom metric.
  • For "Display Name" use <img src=x onerror=alert(/custom_resource_metric_display_name/)>.
  • After saving, view the "Resources" tab in the context of a database instance.
  • XSS experienced.

Instance 2

  • As a privileged user, go to /iwc/customMetrics.iwc?pm=P.
  • Add a custom metric.
  • For "Description" use <img src=x onerror=alert(/custom_resource_metric_description/)>.
  • After saving, view the "Resources" tab in the context of a database instance.
  • Click "Add Resource Chart" and select your resource.
  • Click the gear to view the settings for your resource and you are taken to /iwc/healthMetricsConfigure.iwc.
  • XSS experienced.

Instance 3

  • As a privilidged user, navigate to /iwc/adminManage.iwc?pm=P and add or modify an existing "Instance Group".
  • Set the "Name" to your XSS payload <img src=x onerror=alert(/instance_group/)>
  • Save (XSS experienced with popup message).
  • View one of the instances that is a part of your new "Instance Group", for example /iwc/database.iwc?dbGroup_id=1&repo_id=1
  • XSS experienced.

alertManagement.iwc

  • As a privilidged user, navigate to /iwc/alertMain.iwc?tab=1&pm=P and go to the "Alert Groups" tab.
  • Click "Create Alert Group".
  • For "Group Name" use <img src=x onerror=alert(/alert_group_name/)>
  • Add an alert, a database instance, and save.
  • XSS experienced in popup message.
  • If your "Name" is long enough, and you mouse over the "Name" column for the row you added, you will get XSS with the tooltip (showToolTip in the common js library).
  • Click on the "Alert Status" tab or the "Manage Alerts" tab.
  • View an alert that would be in the alert group you created.
  • XSS experienced on /iwc/alertManagement.iwc
  • Go back to the "Alert Groups" tab and delete the item you added.
  • XSS experienced.

eventAnnotations.iwc

  • As a privilidged user, navigate to /iwc/eventAnnotations.iwc?pm=P and select a database instance.
  • Click "Add Annotation".
  • For "Annotation" use <img src=x onerror=alert(/annotation_name/)>.
  • For "Occurred At" use the current time.
  • For "Details" use <img src=x onerror=alert(/annotation_desc/)>
  • For "Created By" use <img src=x onerror=alert(/annotation_created_by/)>
  • Save.
  • XSS experienced on the "Annotations" page, for example/iwc/eventAnnotations.iwc?pm=P&dbId=1.
  • View "Trends" for the database instance you added the annotation, for example /iwc/database.iwc?repo_id=1&db_id=1&pm=P
  • Click on the annotation you created.
  • XSS experienced for "Details" and "Created By".

central.cen

  • As a privileged user, go to /iwc/centralManage.cen.
  • Add a server.
  • For "Display Name" use "Mouse over me".
  • For "Server Name" use ') | alert()//.
  • After saving, navigate to /iwc/central.cen.
  • Mouse over the server you added in the "Unavailable Servers" table.
  • XSS experienced.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment