QUICK CART V6.6 Persistent XSS

# Exploit Title: QUICK CART V6.6 Persistent XSS
# Date: 19/01/2016
# Exploit Author: Mr T
# Exploit Authors Website: http://www.securitypentester.ninja
# Vulnerable Version: V6.6
# Tested on: Linux
#  Vendor doesn’t consider this a vulnerability.

Persistent XSS

Issue No # 1
Persistent XSS on parameter “title”
Request Sent:

POST /admin.php?p=tools-config HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=ijfqciqrrhme9g3rghoj7oatr3; sLogin=admin; bLicense66=true
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 824

Continue reading

Odesk bug reporting XSS


While crawling few websites in search of XSS i was able to find one on Odesk, unfortunately i was unable to report the vulnerability was it is not on odesk.com , the security bug report program is being run by bugcrowd.com.

Any how i have emailed them about this vulnerability, as soon as i get a Positive reply i will post the vulnerability. It has been almost a month now, lets see how how they take to reply.



VLDPersonals Cross-Site Scripting XSS


# Exploit Title: VLD Personals – Cross Site Scripting ( Reflective ) with admin authentication.
# Notified VLD Personals Date: 02/FEB/2015

# Exploit Author: Mr T
# Exploit Authors Website: http://www.securitypentester.ninja
# Vendor Homepage: http://www.vldpersonals.com/
# Software Link: http://www.vldpersonals.com/clients/downloads.php
# Vulnerable Version: 2.7.1
# Fixed Version 2.7.2
# Tested on: Windows / Linux

XSS in "what" Parameter

XSS in “what” Parameter

Continue reading

Slider Revolution and RevSlider Exploit WordPress


In my everyday malware reverse engineering experience i come across multiple websites injections by malware, these malware are very much unique and cannot be found easily using search strings . Recently i was given a task to clean malware from a infected website.  The website was using the very famous wordpress cms, when i search the internet i found multiple exploits which can be used to upload a backdoor into any website which is vulnerable due to outdated Slider plugin.


Continue reading

Whatsapp Remote Crash POC


Recently a vulnerability has been discovered in a widely used mobile application “WhatsApp” , This application is being used by million’s of mobile phone users for messaging.

Two young security researchers have found a vulnerability which can remotely crash whatsapp by sending a specially crafted message of 2000 words ( 2 KB ) in size.

WhatsApp Remote Crash

Continue reading