TL;DR - we have a new version of modus.py =]
...of course: code needs to be changed/fixed/rewrited again (and again... because I think that there is still 'something' to fix or upgrade), so our new version is "official" version 0.2 ;) But still not publicly available.
After last two 'parts' I decided that it will be a good idea to 'teach modus' how to understand bugs related to XSS. I assumed that it will be 'good enough' to prepare the script (using similar skeleton) to find other bugs (later, like sqli/rce/etc...). Version I used:
So, checking with Burp again, then looking for declaration of the param, and next - where it was used in a wrong way (read: without any sanitization):
I don't think that cleanX() is the best way to do it. :7
Why - you will see on the next screen, where cleanX() was used again - but with 'no success'. All parameters in red frame are vulnerable to XSS (later you will see why):
At this stage I used new version of modus.py (output was saved like > file.log). On the screen below I decided to grep only 'info line' about the file 'where the bug was located':
(I think you can identify - and verify ;] - them manualy).
Let's grab some details from modus.py:
Below quick sort to get 'vulnerable parameters'.
:
Next grep is to count how many of them you will find in GeniXCMS (in my opinion ~25 should be vulnerable ;) )
Described now as CVE-2017-17431.
tbc.
o/
how does the response of the attacked sit ? is it load the alert or not ?
OdpowiedzUsuńThe cleanX should be filter the XSS also.
@MG: Feel free to try it... ;>
UsuńThanks for watching ;)
this has been fixed on new release.
Usuń@MG: (sorry for the delay but) thank you for the updates and for watching. :)
UsuńI appreciate it!