siteGo all version Xss Stored and Full Path Disclosure

1. ######################################################################
2.  
3. # siteGo all version Xss Stored & Full Path Disclosure #
4.  
5. # Author : hamza killer #
6.  
7. # E-mail : hlyzidi@gmail.com #
8.  
9. # GoogleDork: -_- !!! #
10.  
11. # Vendor :http://site-go.com #
12.  
13. # Thx TO : sec4ever & sec4all #
14.  
15. ######################################################################
16.  
17. xss :
18.  
19. ===
20.  
21. index.php in input search
22.  
23. Xss stored in
24.  
25. site.com/?action=contacts
26.  
27. how exploit :
28.  
29. just put your payload(javascript code or html) in message (You can steal cookies.)
30.  
31. And it will be sent to admin in control and
32.  
33. When he will read the message the code will be execute
34.  
35. (sorry for my very bad english)
36.  
37. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
38.  
39. Full Path Disclosure:
40.  
41. ===================
42.  
43. just use any headr editor tools to delete Cookie: PHPSESSID=
44.  
45. look :
46.  
47. http://im64.gulfup.com/sbo4l.png