RemoteClinic 2.0 – ‘Multiple’ Stored Cross-Site Scripting (XSS)

• Exploit Database
• 14 阅读

• 作者： Saud Ahmad
  日期： 2021-04-22
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49795/

• # Exploit Title: RemoteClinic 2.0 - 'Multiple' Stored Cross-Site Scripting (XSS)
  # Date: 13/04/2021
  # Exploit Author: Saud Ahmad
  # Vendor Homepage: https://remoteclinic.io/
  # Software Link: https://github.com/remoteclinic/RemoteClinic
  # Version: 2.0
  # Tested on: Windows 10
  # CVE : CVE-2021-30030, CVE-2021-30034, CVE-2021-30039, CVE-2021-30042, CVE-2021-31329
  
  #Steps to Reproduce:
  
  1)Login in Application as Doctor.
  2)Register a Patient with Full Name Field as XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
  3)After Register Patient, go to "Patients" endpoint.
  4)XSS Executed.
  
  For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/1
  
  #Steps to Reproduce:
  
  1)Login in Application as Doctor.
  2)Register a Patient.
  3)After Register Patient, a page redirect to Register Report Page. 
  4)Here is "Symptoms" Field as XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
  4)After Register Report, Click on home which is "dashboard" endpoint.
  5)XSS Executed.
  
  For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/5
  
  #Steps to Reproduce:
  
  1)Login in Application as Doctor.
  2)Register a Patient.
  3)After Register Patient, a page redirect to Register Report Page. 
  4)When you scroll down page two fields there "Fever" and "Blood Pressure", both are vulnerable to XSS, inject XSS Payload in both Fields: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
  4)After Register Report, Click on home.
  5)Now Click on Report, XSS Executed.
  
  For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/8
  
  #Steps to Reproduce:
  
  1)Login in Application as Doctor.
  2)Register a New Clinic.
  3)Here is four fields "Clinic Name", "Clinic Address", "Clinic City" and "Clinic Contact". All are vulnerable to XSS. 
  4)Inject XSS Payload in all Fields: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
  4)Now go to Clinic Directory.
  5)Click on that Clinic.
  6)XSS Executed.
  
  For Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/11
  
  #Steps to Reproduce:
  
  1)Login in Application as Doctor.
  2)Create a New Medicine.
  3)Medicine Name Field is Vulnerable to XSS, inject with XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
  4)But there is client side validation on maxlength but not on server side. 
  4)Change maxlength 30 to 100.
  5)Click on Register.
  6)Now Click on Show All which is /medicines/ endpoint.
  7)XSS Executed.
  
  Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/14
  
  #Steps to Reproduce:
  
  1)Login in Application as Doctor.
  2)Create a New Staff Member.
  3)Here is Chat Field and Personal Address Field are Vulnerable to XSS, inject with XSS Payload: XSS"><img src=x onerror=alert(`XSS-BY-Saud-Ahmad`)>
  4)Profile Created.
  5)Signout.
  6)Now login with that staff member which Chat field and Personal Address field consist of XSS Payload.
  7)After Login, go to my profile.
  8)XSS Executed.
  
  Detail POC: https://github.com/remoteclinic/RemoteClinic/issues/16