Friday Fun Pentest Series - 3 - concretecmsv9.2.7

 Description

- Open redirect

- Stored XSS

- Verbose error message (stack trace)

- Verbose error message (SQL error)

Verbose Error Message - Stack Trace

Steps to Reproduce:

1. Directly browse to edit profile page
2. Error should come up with verbose stack trace

Verbose Error Message - SQL Error

Steps to Reproduce:

Page Settings > Design > Save Changes

1. Intercept HTTP POST request and place single quote to "pTemplateID"
2. Verbose SQL error message would occur

Open Redirect

Steps to Reproduce:

1. Login to application
2. Click to "Edit This Page" button
3. Intercept HTTP GET request
4. Enter relevant domain as value for "redirect" parameter

Stored XSS

Steps to Reproduce:

1. Edit page
2. Add HTML widget and drag it to the page
3. Add XSS payload in the HTML editor window

"><iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">

Conclusion

- Had lots of fun fuzzing the application

- Until next Friday!

- Cheers

Friday Fun Pentest Series - 2 - phpfusioncmsv9.10.30

Description

- Filter bypass

- Four stored XSS in admin functionality

Payload Used:

"><iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">

Stored XSS #1

Steps to Reproduce:

1. Go to Content Admin > Blog > Add Blog
2. In the Extended blog content field paste the XSS payload

Stored XSS #2

Steps to Reproduce:

1. Go to Content Admin > Articles > Article
2. In the Article field paste the XSS payload

Stored XSS #3

Steps to Reproduce:

1. Go to Content Admin > News > Add News
2. In the Snippet field paste the XSS payload

Stored XSS #4

Steps to Reproduce:

1. Go to System Admin > Banners
2. In the Banner 1 field paste the XSS payload 

Conclusion

- Had lots of fun fuzzing the application

- Until next Friday!

- Cheers

Friday Fun Pentest Series - 1 - boidcmsv2.0.1

BoidCMS v2.0.1

Description

- Stored XSS

- Reflected XSS

- XSS via SVG File Upload

XSS via SVG File Upload

Steps to Reproduce:

1. Login with admin user
2. Visit "Media" page
3. Upload xss.svg
4. Click "View" and XSS payload will execute

// xss.svg contents

<?xml version="1.0" standalone="no"?>

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">

   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>

   <script type="text/javascript">

      alert(`XSS`);

   </script>

</svg>

Reflected XSS

Steps to Reproduce:

1. Login as admin
2. Visit "Media" page
3. Click "Delete" and intercept the HTTP GET request
4. In "file" parameter add the payload "<script>alert(1)</script>"
5. After forwarding the HTTP GET request a browser popup would surface

Stored XSS

Steps to Reproduce:

1. Login as admin
2. Visit "Settings" page
3. Enter XSS payload in "Title", "Subtitle", "Footer"
4. Then visit the blog page

Conclusion

- Had lots of fun fuzzing the application

- Until next Friday!

- Cheers

Friday Fun Pentest Series Introduction

 

Decided to introduce a Friday Fun Pentest Series, where I would be pentesting various web apps in my lab to discover and explore vulnerabilities in the web app as well its code base. Then post the walkthroughs on my blog for anyone that would want to follow.