################################################################
# Exploit Title: Infreshop - Cross-Site Scripting Vulnerability
# Exploit Author: Gh05t666nero
# Author Team: The A Team - Kejaksaan Agung
# Google Dork: "Powered by Infreshop"
# Software Vendor: Infreshop
# Software Version: *
# Software Link: http://www.infreshop.it [DOWN]
# Date: 2022-05-10
################################################################
[*] About:
----------
Infreshop is one of the developers who developed an Italian-based framework or theme or CMS for E-Commerce.
################################################################
[*] Detail:
-----------
Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.
Cross-site scripting works by manipulating a vulnerable web site so that it returns malicious JavaScript to users. When the malicious code executes inside a victim's browser, the attacker can fully compromise their interaction with the application.
################################################################
[*] Impact:
-----------
The actual impact of an XSS attack generally depends on the nature of the application, its functionality and data, and the status of the compromised user. For example:
- In a brochureware application, where all users are anonymous and all information is public, the impact will often be minimal.
- In an application holding sensitive data, such as banking transactions, emails, or healthcare records, the impact will usually be serious.
- If the compromised user has elevated privileges within the application, then the impact will generally be critical, allowing the attacker to take full control of the vulnerable application and compromise all users and their data.
################################################################
[*] Remediation:
----------------
Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data.
################################################################
[*] Proof-of-Concept:
---------------------
https://www.aputea.it/it/shop.php?id=6%27%27%3E%3Cimg%20src=x%20onerror=prompt(1);%3E
https://user.dalmenu.it/it/shop.php?id=31%27%27%3E%3Cimg%20src=x%20onerror=prompt(1);%3E
################################################################
[*] Who-am-I:
-------------
Instagram: @ojansec
Telegram: @ojansec
Bugcrowd: @Gh05t666nero
Website : www.deepweb.id