# Exploit Title :----------------- : Oneblog v2.0 - (posts_new.php) - Stored XSS
# Author :------------------------ : Nassim Asrir
# Author Company :------------------------ : HenceForth
# Author Email :------------------------ : wassline@gmail.com
# Google Dork :---------------- :  -
# Date :-------------------------- : 14/10/2016
# Type :-------------------------- : webapps
# Platform : -------------------- :  PHP  
# Software link : -------------- : http://wmscripti.com/php-scriptler/oneblog-blog-scripti.html
 
   
############################ Stored XSS Vulnerabilty ############################
       
## Code ##

 }else{  
         $message = $_POST['message'];  
         }  
           
         if($title && $name && $message) {  
         $query = "INSERT INTO blog (title, author, post, date) VALUES ('$title', '$name', '$message', NOW())";  
         $result = mysql_query($query);  


 ## Proc ##

- As you see the parameter ($message) is not protected using (html_entity_decode OR strip_tags).

- To test it . go to Admin panel . "http://yoursite/admin/posts_new.php" and create in the Message box:  "><script>alert(1);</script>.

- and go to home page and you can see the alert and when any visitor visit your site he see the alert.

## Thnks To ##

- All Muslim Hackerz