Design a site like this with WordPress.com
Get started

PHP Scripts Mall Online Lottery PHP Readymade Script 1.7.0 has Reflected Cross-site Scripting (XSS) via the err value in a .ico picture upload:[CVE-2019-9605]




Vulnerability Description=> Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.





⇣ ⇣ ⇣ ⇣ How to Exploit ⇣ ⇣ ⇣ ⇣







1. Go to Online Lottery PHP Readymade Script site [http://74.124.215.220/~clienemo/demo/lottery]
⇓ ⇓ ⇓ ⇓




2. Click on sign up and register new account
⇓ ⇓ ⇓ ⇓




3. Verify your mail id
⇓ ⇓ ⇓ ⇓




4. Come back again Online Lottery PHP Readymade Script site and log in into your account
⇓ ⇓ ⇓ ⇓




5. Go to My profile and Upload and .ico extension pic
⇓ ⇓ ⇓ ⇓




6. Now change URL “err” value to XSS script [74.124.215.220/~clienemo/demo/lottery/profile.php?err='”</Script><Html /Onmouseover=(alert)(1) // ]
⇓ ⇓ ⇓ ⇓




7. Press enter and You will see an XSS popup onscreen
⇓ ⇓ ⇓ ⇓

Advertisement
Privacy Settings

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: