AnhNg1410/Bludit-Exploitation

# Bludit-Exploitation PoC script for Bludit CMS Privilege Escalation: Leveraging Stored XSS and CSRF to escalate user privileges from Author to Administrator. ### Summary Bludit CMS v3.21.1 — Stored Cross-Site Scripting (XSS) Exploit CWE : `CWE-79` (Improper Neutralization of Input) CVSS 3.1 : `8.7` `(AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N)` Affected : Bludit CMS <= 3.21.1 (bl-kernel/) Vulnerability : Page content stored without sanitization, rendered through Parsedown with safe mode OFF. Impact : Authenticated author+ can inject arbitrary JavaScript that executes for all visitors, including administrators. Chained with session-lifetime CSRF token → full admin takeover. Requirements : `pip install requests beautifulsoup4` Usage : python3 exploit.py --target http://127.0.0.1:8080 --username --password --attacker --payload - Use `python3 exploit.py --help` for more detail. ### Note JavaScript Payload Templates Exfiltration uses navigator.sendBeacon() with URLSearchParams body. Content-Type becomes `application/x-www-form-urlencoded` — a "simple" CORS type that does NOT trigger an OPTIONS preflight, unlike Blob with application/json which the browser preflights and blocks when the attacker server lacks `Access-Control-Allow-Origin` headers (`webhook.site`). Token source: `var tokenCSRF = "hex128"` (`js/variables.php:20`). This JS global is present on EVERY admin page via `admin/themes/booty/index.php:52`.