Saturday, 9 March 2024

Friday Fun Pentest Series - 2 - phpfusioncmsv9.10.30

Description

- Filter bypass

- Four stored XSS in admin functionality


Payload Used:

"><iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">


Stored XSS #1

Steps to Reproduce:

  1. Go to Content Admin > Blog > Add Blog
  2. In the Extended blog content field paste the XSS payload


Stored XSS #2

Steps to Reproduce:

  1. Go to Content Admin > Articles > Article
  2. In the Article field paste the XSS payload


Stored XSS #3

Steps to Reproduce:

  1. Go to Content Admin > News > Add News
  2. In the Snippet field paste the XSS payload


Stored XSS #4

Steps to Reproduce:

  1. Go to System Admin > Banners
  2. In the Banner 1 field paste the XSS payload 


Conclusion

- Had lots of fun fuzzing the application

- Until next Friday!

- Cheers

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Friday Fun Pentest Series - 48 - Weak Password Complexity - elggv6.3.3

  Description - It was noted that the "Password Update" functionality allowed users to set weak passwords. Weak Password Complexit...