SadafBlog Script Cross Site Scripting Stored

2017.06.19

GIST (CH)

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

Dork: inurl:list.php intitle:فهرست وبلاگ ها

* Title : SadafBlog Script Cross Site Scripting ( Xss Stored )
* Date : 6/19/2017
* Dork : inurl:list.php intitle:فهرست وبلاگ ها
* Author : GIST
* YouTube : https://youtu.be/a1hN9KC3wUQ
* Version : All Version
* Script Download : https://goo.gl/d7yDrt
* Vendor HomePage : - 
* Tested On : Windows 10


About Script :

Sadaf Blog SCript for blogs is beautiful and diverse capabilities 
including the ability to recruit blogs, etc.

Some Of Facilities Of Sadaf Blog Script : 
1-Allowing verification of reader comments to display
2-Assign a URL
3-The possibility of exclusive design templates or change in form, color and design blog
4-Ability to insert labels for each entry
5-Allocates 300 MB for upload in the blog admin panel
And ...


Exploit : 

1- Open Target 

2- Register A New Weblog ( Usually You Can Find It 'register' or 'register.php' )

3- Complet Fields.

4- In Field Of Title Weblog Have To Use Inspect Element To Removing restrictions Of Character

Delete This Part ' maxlength="60" '

5- Input Your Deface Page in Title WEblog Filed

6-Click Save And Go To List Of Weblogs ( Usually You Can Find It 'list' or 'list.php' )

7- You Will See Your Deface Page :)

Demo : 

http://raziblog.ir/
http://shikblog.ir/
http://7blog.ir/

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

SadafBlog Script Cross Site Scripting Stored

Dork: inurl:list.php intitle:فهرست وبلاگ ها

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.