Ultimate Project Manager CRM PRO v1.3.7 WebShell Upload & Stored XSS Injections - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1572455 漏洞类型
发布时间 2019-04-17 更新时间 2019-04-17
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019040160
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Title: Ultimate Project Manager CRM PRO v1.3.7 WebShell Upload & Stored XSS Injections
# Author: QUIXSS
# Date: 2019-04-16
# Software: Ultimate Project Manager CRM PRO v1.3.7
  
# Technical Details & Description:
# Weak file upload filtering (.PHP5/.PHP7 isn't filtering) and multiple Stored XSS vulnerabilitieshas been discovered in the «Ultimate Project Manager CRM PRO» web-application. Current version of this web-application is 1.3.7.

# PoC #1 [WebShell Upload]:
# It's possible to upload any PHP file via «File Manager» (for the demo website) -> https://hrm-crm.uniquecoder.com/admin/filemanager, just change file type from .PHP to .PHP5 (for PHP v5.X) or .PHP7 (for PHP v7.X) and upload the file. Or just rename your local .PHP file type to .TXT and upload it like this, then rename file type in the «File Manager» back to .PHP5 or .PHP7. Uploaded file will be inside this directory (for the demo website) -> https://hrm-crm.uniquecoder.com/-/
  
# PoC #2 [Stored XSS Injections]:
# The whole web-application doesn't have any input field filters so you can use any input field for Stored XSS Injection. Most usefull fields is «Company Name» and «Legal Name» located (at the demo website) here: https://hrm-crm.uniquecoder.com/admin/settings. Data from this fields will be loaded on literally each page u visit.
# Sample payload: "><script>alert('QUIXSS')</script>