POC详情: 50cb885b0f99b4a3e01c97d0511a59cda7a43dea

来源
https://github.com/LauLeysen/CVE-2024-46538
关联漏洞
标题: pfSense 安全漏洞 (CVE-2024-46538)
描述:pfSense是一套基于FreeBSD Linux的网络防火墙。 pfSense v2.5.2版本存在安全漏洞,该漏洞源于容易受到跨站脚本攻击,允许攻击者通过精心设计的有效负载执行任意Web脚本或HTML。
描述
based on [EQSTLab](https://github.com/EQSTLab)
介绍
**Thanks to [physicszq](https://github.com/physicszq/web_issue/blob/main/pfsense/interfaces_groups_edit_file.md_xss.md), who discovered this vulnerability.**


# CVE-2024-46538
★ CVE-2024-46538 PfSense Stored XSS lead to Arbitrary Code Execution PoC ★

## Description
CVE-2024-46538 : PfSense Stored XSS Vulnerability


description: A cross-site scripting (XSS) vulnerability in pfsense v2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $pconfig variable at interfaces_groups_edit.php.


## Lab Setup
Download vulnerable version([v2.5.2](https://github.com/CloudSentralDotNet/iso_pfsense)):

## Analysis
**/src/usr/local/www/interfaces_groups_edit.php**
```
if (isset($_POST['members'])) {
		$members = implode(" ", $_POST['members']);
	} else {
		$members = "";
	}
...
		// Create new group
		} else {
			$ifgroupentry['ifname'] = $_POST['ifname'];
			$a_ifgroups[] = $ifgroupentry;
		}

		write_config("Interface Group added");
		interface_group_setup($ifgroupentry);

		header("Location: interfaces_groups.php");
		exit;
	} else {
		$pconfig['descr'] = $_POST['descr'];
		$pconfig['members'] = $members;
	}
}
```

Lack of filtering in the $pconfig variable in interfaces_groups_edit.php leads to a cross-site scripting (XSS) vulnerability. The cross-site scripting (XSS) vulnerability allows attackers to leverage the diag_command.php endpoint to execute arbitrary commands against an administrator.
For example, Following JavaScript Can lead to Arbitrary Code execution.

## Scenario
User (Has Privilege: WebCfg - Interfaces: Groups: Edit) --(Store Malicious JavaScript Code)--> Admin (Has Privilege to execute code) --(Read interfaces_groups.php)--> JavaScript Code Execute --> Code Execution


## Disclaimer
This repository is not intended to be XSS exploit to CVE-2024-46538. The purpose of this project is to help people learn about this vulnerability, and perhaps test their own applications.


## References
https://github.com/physicszq/web_issue/blob/main/pfsense/interfaces_groups_edit_file.md_xss.md
文件快照

 [4.0K]  /data/pocs/50cb885b0f99b4a3e01c97d0511a59cda7a43dea
├── [9.4K]  CVE-2024-46538.py
├── [1.8K]  mal.js
└── [2.0K]  README.md

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。