Countly - Cross-Site Scripting - 黑帽漏洞数据库

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

赤队小组-代号1949（原CHT攻防小组）在这个瞬息万变的网络时代，我们保持初心，创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识，您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告，请注册用户查看我们的使用与隐私策略，谢谢您的配合。小组成员可以获取论坛隐藏内容！

TheHackerWorld官方

发布于2022年11月4日2年前

############################################################################
# Exploit Title: Countly-server Stored(Persistent) XSS Vulnerability 
# Date: Monday - 2018 13 August
# Author: 10:10AM Team
# Discovered By: Sleepy
# Software Link: https://github.com/Countly/countly-server
# Version: All Version
# Category: Web-apps
# Security Risk: Critical
# Tested on: GNU/Linux Ubuntu 16.04 - win 10
############################################################################
#  Exploit:
#  Description:
#
#     Attacker can use multiple parameters in the provided link to inject his own data in the database 
#     of this application,the injected data can then be directly viewed in the event logs panel
#     (manage>logger).
#     Attacker may use this vulnerability to inject his own payload for attacks like Stored XSS.
#     The injected payload will be executed everytime that the target page gets visited/refreshed.
#
#  Proof of Concept:
#
#     Injection URL:
#
#            � 	http://[server_ip]:[api_port]/i?api_key=[api_key]&parameter_1=[payload_1]&parameter_2=[payload_2]&etc...   
#
#     Execution URL(login to server dashboard and navigate to "event logs" panel):
#
#            �  http://[server_ip]:[server_port]/dashboard#/[app_key]/manage/logger
#	
#
############################################################################
# WE ARE: Sleepy({[email protected]}), Mikili({[email protected]})
############################################################################

登录

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

Countly - Cross-Site Scripting

精选回复

创建帐户或登录后发表意见

最近浏览 0

帐户

导航

搜索