Breach-Team Cross Site Scripting Vulnerability (Xss)

2018.01.25

Iran.Anonymous (IR)

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Exploit Title: Breach-Team Cross Site Scripting Vulnerability
# Google Dork: N/A
# Date: 2018-01-24
# Exploit Author: Iran.Anonymous
# Vendor Homepage: https://breach-team.org/
# Tested on: Windows
*******************************************
# vulnerability :
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.
# Attack details :
URL encoded POST input { returnurl } was set to :
https://breach-team.org/favicon.ico"onmouseover=EHfS(9900)"
URI was set to "onmouseover='PCJf(9713)'bad="
URI was set to "onmouseover='fPUa(9349)'bad="
# The input is reflected inside a tag parameter between double quotes.
# Proof :
goo.gl/42EXyX
*******************************************
# Thanks to : ~~> MR.Khatar || Turk.Khan || Blackwolf_Iran ||Ormazd || Sh@d0w ||Hellish_PN (mamad khodesh) ||Rabinson || Danger BoY
# Discovered By: K4an
# { Bu Hayatta Ya Av Ol Yada Avci Ama Ne Olursan Ol Avi Avciya Got?ren Kopek Olma! }

References:

Iran.Anonymous

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Breach-Team Cross Site Scripting Vulnerability (Xss)

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.