Exploit Title : FUDForum 3.0.9 – Stored XSS / Remote Code Execution
Date : 10/26/19
Exploit Author : liquidsky (JMcPeters)
Vulnerable Software : FUDForum 3.0.9
Version : 3.0.9
Software Link : https://sourceforge.net/projects/fudforum/files/FUDforum_3.0.9.zip/download
Tested On : Windows / mysql / apache
Author Site : https://github.com/fuzzlove/FUDforum-XSS-RCE
Demo : https://youtu.be/0gsJQ82TXw4 | https://youtu.be/fR8hVK1paks
CVE : CVE-2019-18839, CVE-2019-18873
Greetz : wetw0rk, Fr13ndz, offsec =)
Description: Multiple Stored XSS vulnerabilities have been found in FUDforum 3.0.9 that may result in remote code execution. The areas impacted are the admin panel and the forum.
XSS via username in Forum:
1. Register an account and log in to the forum.
2. Go to the user control panel. -> Account Settings -> change login
4. When the admin visits the user information the payload will fire, uploading a php shell on the remote system.
XSS via user-agent in Admin Panel:
1. Register an account and log in to the forum. If you have an IP already associated with a registered user this is not required. This step is so when you run the XSS payload from your attacker machine it gets logged under the user activity.
2. Send the XSS payload below (from an IP associated with an account) / host the script:
3. curl -A ‘XSS PAYLOAD (fud.js)’ http://target.machine/fudforum/index.php
4. When the admin visits the user information from the admin controls / User Manager the payload will fire under “Recent sessions”, uploading a php shell on the remote system.
Proof of concept: Download here