[*] :: Title: Tickerr - Ticket System v1.3 Stored XSS Injection
[*] :: Author: QUIXSS
[*] :: Date: 2019-05-07
[*] :: Software: Tickerr - Ticket System v1.3
[?] :: Technical Details & Description:
# Weak security measures like bad input fields data filtering has been discovered in the «Tickerr - Ticket System». Current version of this web-application is 1.3.
[?] :: Demo Website:
# https://codecanyon.net/item/tickerr-ticket-system/12818390
# Frontend: http://sglancer.com/Tickerr/guest/new-ticket
# Frontend: http://sglancer.com/Tickerr/guest/new-bug-report
# Backend: http://sglancer.com/Tickerr/
# Login/Password (admin): Admin/123456
# Login/Password (agent): Agent/123456
# Login/Password (client1): Client1/123456
# Login/Password (client2): Client2/123456
[!] :: Special Note:
# 260 Sales
# Unauthenticated Stored XSS Injections are more interesting because you can interact with admin panel («Bugs», «Tickets» and panel main screen sections).
[!] :: For developers:
# Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients.
[+] :: PoC [Links]:
# http://sglancer.com/Tickerr/panel/admin/free-bugs
# http://sglancer.com/Tickerr/panel/admin/all-bugs
# http://sglancer.com/Tickerr/panel/my-bugs
# http://sglancer.com/Tickerr/panel/bug/pAeJ9GbuwO
# http://sglancer.com/Tickerr/bug/98wM06PG7j/
# http://sglancer.com/Tickerr/ticket/ujq2izfeWz/
[+] :: PoC [Authenticated Stored XSS Injections]:
# Go to the demo website http://sglancer.com/Tickerr and log in as admin/agent. Go to the «Bugs» or «Tickets» section, create or edit any existed report/ticket and use «Subject» field for payload injection.
# Sample payload: "><script>alert('YOUR FLESH IS AN INSULT TO THE PERFECTION OF THE DIGITAL. - QUIXSS');location='https://twitter.com/quixss';</script>
[+] :: PoC [Unauthenticated Stored XSS Injections]:
# Go to the demo website and press the «Create ticket as guest» or «Leave bug report as guest» button, then you'll see new page with simple form where fields «YOUR NAME» and «SUBJECT*» are vulnerable for XSS Injections. Keep in mind that submitted reports/tickets are reflected inside admin panel, so it's really easy to steal the admin session f.e.
# Sample payload: "><script>alert('QUIXSS');location='https://twitter.com/quixss';</script>