Description
When the administrator uses the Database information function, malicious code will be accidentally called and executed through two cases:
- (1) An internal attacker (local) with access right to the database could insert malicious content into the
table name
field by creating a table in the database.
- (2) The second possible case is when the system administrator performs a malicious import of the database from an unknown source with the
table name
field injected by malicious content.
Proof of Concept
Payload
CREATE TABLE `yetiforce`.`<script>alert('stored_xss')</script>` ( `id` INT NOT NULL ) ENGINE = InnoDB CHARSET=armscii8 COLLATE armscii8_general_nopad_ci;
Reprodution steps
- Step 1: The internal attacker create a new table with the payload above.
PoC - Step 1
- Step 2: Access
Database information
function in Admin Dashboard > Logs > Server configuration
PoC - Step 2
- Step 3: The XSS should fire immediately when detailed information about the database is loaded.
PoC - Step 3.1
PoC - Step 3.2