Private Message PHP Script 2.0 – Cross-Site Scripting

Exploit Database
12 阅读

作者： L0RD

日期： 2018-05-21
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/44662/

# Exploit Title:Private Message PHP Script 2.0 - Persistent Cross-Site scripting
# Date: 2018-05-20
# Exploit Author: Borna nematzadeh (L0RD)
# Vendor Homepage: https://codecanyon.net/item/private-message-php-script/21027192?s_rank=1
# Version: 2.0
# Tested on: Windows

# Description :
Private Message PHP Script 2.0 suffers from persistent cross site scripting.
You can put your malicious javascript payload .
When target opens your massege ,payload will be executed before self destruction .

# POC :
1) Put this payload into textarea and click submit :
</textarea><script>alert(document.cookie)</script>

2) You will get a link which your javascript code is inside this link . You can send this link to anyone .
3) After clicking on "show me the message" , payload will be executed .

last Exploits
Private Message PHP Script 2.0 – Cross-Site Scripting的更多信息

D-Link DWL-2600AP – Multiple OS Command Injection：
Topsites Script 1.0 – Cross-Site Request Forgery / PHP Code Injection：
Joomla! Component JE Grid Folio – ‘id’ SQL Injection：
PayPal Shop Digital – SQL Injection：
MindTouch DekiWiki – Multiple Local/Remote File Inclusions：
WordPress Plugin Quick Page/Post Redirect 5.0.3 – Multiple Vulnerabilities：
NSClient++ 0.5.2.35 – Authenticated Remote Code Execution：
Joomla! Component JB Bus 2.3 – ‘order_number’ SQL Injection：