Acunetix Web Vulnerability Scanner 10.0 build 20160216 and previous versions, allows remote attackers to execute arbitrary JavaScript code in the context of the scanner GUI. The flaw exists in the way Acunetix WVS render some html elements inside it's GUI, using jscript.dll without any concert about unsafe ActiveX object such as WScript.shell. If Acunetix WVS triggers a vulnerability during a scan session, it saves a local html with the content of html page. With this, it's possible to trigger a fake vulnerability and inject a JavaScript code which triggers the remote command execution. This module also abuses of a second vulnerability affecting the Acunetix Web Vulnerability Scanner Scheduler. The Scheduler allows programmatically scanning of websites without any user interaction. It is possible to schedule a scan via the web interface listening on 127.0.0.1:8183. When a scan is scheduled, a new instance of Acunetix WVS is launched as SYSTEM. Previous to the real scan, several tests are performed on the target host using script files located in %ProgramData%\Acunetix WVS 10\Data\Scripts. Due to bad ACL's in this folder, any user can modify these scripts files. This module modifies the AJP_Audit.script file in order to execute an agent as SYSTEM.
Exploit Platform
Exploit Type
Product Name