VidiScript 1.0.3a Cross Site Scripting Vulnerability

2013-10-10T00:00:00
ID 1337DAY-ID-21359
Type zdt
Reporter gabby
Modified 2013-10-10T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            #################################################################################################
# __________.__             _________                              _________
# \__    ___/|  |__   ____   \_   ___ \_______  ______  _  ________ \_   ___ \_______   ______  _  __
#   |    |   |  |  \_/ __ \  /    \  \/\_  __ \/  _ \ \/ \/ /  ___/ /    \  \/\_  __ \_/ __ \ \/ \/ /
#   |    |   |   Y  \  ___/  \     \____|  | \(  <_> )     /\___ \  \     \____|  | \/\  ___/\     /
#   |____|   |___|  /\___  >  \______  /|__|   \____/ \/\_//____  >  \______  /|__|    \___  >\/\_/
#                 \/     \/          \/                         \/          \/             \/
#
#
#http://thecrowscrew.org
##################################################################################################
# Exploit Title: VidiScript Persistent XSS Vulnerability
# Author: Gabby
# Google Dork: Powered By VidiScript 1.0.3a
# Software Link: http://www.vidiscript.com/
##################################################################################################
poc : 
1. register first -> http://site.com/register.php
than go to edit ur profile on http://site.com/usermenu/profile
put ur xss script on "About Me" form
u will find ur xss on http://site.com/profile/ur_user_name

2. register first -> http://site.com/register.php
go to http://site.com/upload 
give a title on title form,..
put ur xss script on "description" form.. (in this case u can put ur xss script on "description" form n "embed code" form.. }
chose the category.. upload ur fake file use .mp4 / .flv / .mp3 / .jpg / etc 
n upload,. 
u will find ur xss on :
http://site.com/play/category/ur_title

example : 
http://www.mymediaempire.com/profile/bie
http://www.kontraktkillers.eu/profile/bie
http://arryn.be/vidiscript/profile/bie
http://www.yehtronservices.info/vidi/play/Main_Category/tes
http://www.yehtronservices.info/vidi/play/Main_Category/bie
http://restaurantsinmytown.com/video/play/Restaurant_Reviews/bie
http://uxoservices.com/videostream/play/Main_Category/bie

################################################################################​#################
Thanks to :
Catalyst71, kit4r0, 777r, ovanIsmycode, walangkaji, y0g4, my "Dad", my sista Wii, cW3 G4pt3K, 
Red-x, Vanda, Deb, Sultan, Meninbox, Jr Blender, n all my luvly friend,..
Greets to :
Yogyacarderlink, SurabayaBlackhat,..^^ 
luv to Bruno mars,. ayem_lagi_galau_tengkiu_buat_lagunya -_-
################################################################################​#################

#  0day.today [2018-02-06]  #