Jump to content
Kwelwild

Google Fusion Tables Cross Site Scripting

By Kwelwild, in Exploituri

Recommended Posts

Kwelwild Newbie

Kwelwild

Posted
Posted

Google Fusion Tables suffers from a cross site scripting vulnerability.

# Title: Google Fusion Tables XSS (HTML Injection) Vulnerability
# Release Date: 07/03/2013
# Author: Junaid Hussain - [ illSecure Research Group ] 
# Contact: illSecResearchGroup@Gmail.com | Website: http://illSecure.com
# Vulnerable Application: https://www.google.com/fusiontables/DataSource?dsrcid=implicit
-------------------------------------------------------------------------------------------------------------------------------------------------------------
//#####  Process:
1. go to https://www.google.com/fusiontables/DataSource?dsrcid=implicit
2. Click "Create empty table" and then click "Next"
3. Click the drop down menu on the Cards1 tab
4. Select "Change Card Layout" and then go to the Custom Tab
5. Remove the HTML code add the following code into the box:
<A HREF="http://EVIL_SITE_HERE.COM"><h1>Click here to continue</h1></A>
6. Click save & then Click the share button (top right) and make the link public
7. Click the drop down menu on the Cards1 tab and select the Publish Option
8. Send the Publish Link to victim.
-------------------------------------------------------------------------------------------------------------------------------------------------------------
//##### Proof Of Concept:
PoC: https://www.google.com/fusiontables/embedviz?viz=CARD&q=select+*+from+19VGTDJasS8NJlbbqnsiDFA_qH7Q95e2dTOKd5RU&tmplt=1&cpr=2

Video: http://www.youtube.com/watch?v=OMCJQ8Atkek&feature=youtu.be
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Contact: illSecResearchGroup@gmail.com 
- Junaid Hussain
http://www.illsecure.com
-------------------------------------------------------------------------------------------------------------------------------------------------------------
Original: http://www.illsecure.com/2013/03/exclusive-google-fusion-tables-xss-html.html
------------------------------------------------------

Surs?: Google Fusion Tables Cross Site Scripting ? Packet Storm

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...