Dolibarr CMS 11.0.4 (DMS/ECM Module) - Stored XSS + RCE with Admin Click

Posted on May 17, 2020 in XSS

DMS/ECM Module Overview

The DMS/ECM module is a simple document upload system built into the Dolibarr CRM. You select a file from your filesystem and its uploaded to the webserver. This file can then be shared to other users through a link.

A user must be assigned the …


Continue reading

Exploiting Insecure Directory Permissions

Posted on March 01, 2020 in Windows

Auditing Directory Permissions

Last year I was auditing my file system permissions using AccessChk and had discovered a directory within 'C:\Program Files (x86)' that granted full read/write to the 'Users' group. This allowed its contents to be modified by any user on the system including non-administrators.

This directory …


Continue reading

File Upload via XSS

Posted on January 03, 2020 in XSS

During my studies of web application exploitation I have come across the need to upload a tar plugin file to an application via an XSS payload to achieve remote code execution.

The process that was used to exploit this application is as follows:

  • The administrator triggers a stored XSS which …


Continue reading