Friday, 14 July 2023

Full Disclosure - WBCE 1.6.1

Application

  • WBCE v1.6.1 

Information 

  • Input not validated 
  • Stored Cross Site Scripting flaw 

Exploit 


Steps to Exploit: 

1. Login to application 
2. Browse to following URI "http://host/wbce/admin/pages/intro.php" 
3. Paste XSS payload "TEST"><img src=x onerror=alert(1)>
4. Then browse to settings Settings->General Settings->Enable Intro Page->Enabled
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Friday Fun Pentest Series - 16 - Stored XSS with Filter Bypass - blogenginev3.3.8

Description - It was found that the application was vulnerable to Stored XSS via specific payload that bypassed the filtering in place. Stor...